From feb4080ecd081175963d2c60a075d03913657bfe Mon Sep 17 00:00:00 2001 From: Yaroslav Bondarets Date: Wed, 1 Nov 2023 15:21:50 +0200 Subject: [PATCH 001/146] New logo --- components/shared/shell/Brand.tsx | 4 +- lib/app.ts | 2 +- public/unicis-platform-logo-hor-cropped.svg | 305 ++++++++++++++++++++ 3 files changed, 309 insertions(+), 2 deletions(-) create mode 100644 public/unicis-platform-logo-hor-cropped.svg diff --git a/components/shared/shell/Brand.tsx b/components/shared/shell/Brand.tsx index 88f98ebf..9a7085b2 100644 --- a/components/shared/shell/Brand.tsx +++ b/components/shared/shell/Brand.tsx @@ -3,7 +3,9 @@ import app from '@/lib/app'; const Brand = () => { return (
- {app.name} + {app.name} {/* {app.name} */}
); diff --git a/lib/app.ts b/lib/app.ts index 7838ad07..2f755fde 100644 --- a/lib/app.ts +++ b/lib/app.ts @@ -5,7 +5,7 @@ import packageInfo from '../package.json'; const app = { version: packageInfo.version, name: 'Unicis Platform', - logoUrl: 'https://www.unicis.tech/img/logo-unicis.png', + logoUrl: '/unicis-platform-logo-hor-cropped.svg', url: 'http://localhost:3002', }; diff --git a/public/unicis-platform-logo-hor-cropped.svg b/public/unicis-platform-logo-hor-cropped.svg new file mode 100644 index 00000000..e1418be9 --- /dev/null +++ b/public/unicis-platform-logo-hor-cropped.svg @@ -0,0 +1,305 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 21ac597119164cfa4f59af4433691d7c2ab352c2 Mon Sep 17 00:00:00 2001 From: Yaroslav Bondarets Date: Tue, 7 Nov 2023 19:42:45 +0200 Subject: [PATCH 002/146] CSC Iso sets --- .../data/ISO-CSC-controls-2013.json | 800 ++++++++++++++++++ .../data/ISO-CSC-controls-2022.json | 653 ++++++++++++++ components/defaultLanding/data/configs/csc.ts | 147 +++- components/interfaces/CSC/RadarChart.tsx | 101 ++- components/interfaces/CSC/SectionFilter.tsx | 6 +- components/interfaces/CSC/StatusSelector.tsx | 7 +- components/interfaces/CSC/StatusesTable.tsx | 29 +- components/interfaces/CSC/TaskSelector.tsx | 14 +- .../CSC/issue_panel/ControlBlock.tsx | 13 +- .../CSC/issue_panel/ControlBlockViewOnly.tsx | 9 +- .../interfaces/CSC/issue_panel/CscPanel.tsx | 21 +- components/team/CSCSettings.tsx | 83 ++ components/team/index.ts | 1 + hooks/useISO.ts | 46 + hooks/usePagination.ts | 2 + hooks/useTeam.ts | 7 +- lib/csc.ts | 34 +- locales/en/common.json | 2 + models/team.ts | 115 ++- .../api/teams/[slug]/{csc.ts => csc/index.ts} | 2 +- pages/api/teams/[slug]/csc/iso.ts | 59 ++ .../teams/[slug]/tasks/[taskNumber]/csc.ts | 6 +- pages/teams/[slug]/csc.tsx | 27 +- pages/teams/[slug]/settings.tsx | 5 +- .../teams/[slug]/tasks/[taskNumber]/index.tsx | 12 +- types/csc.ts | 15 + 26 files changed, 2111 insertions(+), 105 deletions(-) create mode 100644 components/defaultLanding/data/ISO-CSC-controls-2013.json create mode 100644 components/defaultLanding/data/ISO-CSC-controls-2022.json create mode 100644 components/team/CSCSettings.tsx create mode 100644 hooks/useISO.ts rename pages/api/teams/[slug]/{csc.ts => csc/index.ts} (95%) create mode 100644 pages/api/teams/[slug]/csc/iso.ts diff --git a/components/defaultLanding/data/ISO-CSC-controls-2013.json b/components/defaultLanding/data/ISO-CSC-controls-2013.json new file mode 100644 index 00000000..f029f0fb --- /dev/null +++ b/components/defaultLanding/data/ISO-CSC-controls-2013.json @@ -0,0 +1,800 @@ +[ + { + "Code": "A.5.1.1", + "Section": "Information security policies - Management direction for information security", + "Control": "Policies for information security", + "Requirements": "A set of policies for information and cybersecurity shall be defined, approved by C-level, published and communicated to employees and relevant external parties.", + "Status": "Unknown" + }, + { + "Code": "A.5.1.2", + "Section": "Information security policies - Management direction for information security", + "Control": "Review of the policies for information security", + "Requirements": "The policies for information and cybersecurity shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, communication and effectiveness.", + "Status": "Unknown" + }, + { + "Code": "A.6.1.1", + "Section": "Organization of information security - Internal Organization", + "Control": "Information security roles and responsibilities", + "Requirements": "All information and cybersecurity roles and responsibilities shall be defined and allocated.", + "Status": "Unknown" + }, + { + "Code": "A.6.1.2", + "Section": "Organization of information security - Internal Organization", + "Control": "Segregation of duties", + "Requirements": "Conflicting tasks and areas of responsibility should be separated to reduce opportunities to change or misuse the assets of the organization without permission or unintended.", + "Status": "Unknown" + }, + { + "Code": "A.6.1.3", + "Section": "Organization of information security - Internal Organization", + "Control": "Contact with authorities", + "Requirements": "It is necessary to maintain proper communications with the relevant authorities.", + "Status": "Unknown" + }, + { + "Code": "A.6.1.4", + "Section": "Organization of information security - Internal Organization", + "Control": "Contact with special interest groups", + "Requirements": "Appropriate connections should be established with special interest organizations or other forums for professional security and professional associations.", + "Status": "Unknown" + }, + { + "Code": "A.6.1.5", + "Section": "Organization of information security - Internal Organization", + "Control": "Information security in project management", + "Requirements": "Throughout project management, the confidentiality of information should be discussed irrespective of project type", + "Status": "Unknown" + }, + { + "Code": "A.6.2.1", + "Section": "Organization of information security - Mobile devices and teleworking", + "Control": "Mobile device policy", + "Requirements": "To manage the risks introduced by the use of mobile devices, a policy and supporting safety measures should be adopted.", + "Status": "Unknown" + }, + { + "Code": "A.6.2.2", + "Section": "Organization of information security - Mobile devices and teleworking", + "Control": "Teleworking", + "Requirements": "To guard the accessed, processed, or stored information at teleworking sites, a policy and supporting security measures should be implemented.", + "Status": "Unknown" + }, + { + "Code": "A.7.1.1", + "Section": "Human Resources Security - Prior to employment", + "Control": "Screening", + "Requirements": "Background verification checks on all job applicants will be performed in compliance with applicable rules, legislation, and ethics and should be proportionate to business criteria, classification of the information to be obtained, and potential risks.", + "Status": "Unknown" + }, + { + "Code": "A.7.1.2", + "Section": "Human Resources Security - Prior to employment", + "Control": "Terms and conditions of employment", + "Requirements": "Contract agreements with employees and contractors would set out their responsibility for information security, and hence the responsibility of the company.", + "Status": "Unknown" + }, + { + "Code": "A.7.2.1 ", + "Section": "Human Resources Security - During employment", + "Control": "Management responsibilities", + "Requirements": "Management should mandate all employees and contractors to exercise information security in accordance with established policies and procedures set by the organization.", + "Status": "Unknown" + }, + { + "Code": "A.7.2.2 ", + "Section": "Human Resources Security - During employment", + "Control": "Information security awareness, education and training", + "Requirements": "All company workers and, where necessary, contractors will receive adequate awareness education and training, as well as daily updates on organizational policies and procedures, as applicable to their job function.", + "Status": "Unknown" + }, + { + "Code": "A.7.2.3 ", + "Section": "Human Resources Security - During employment", + "Control": "Disciplinary process", + "Requirements": "A formal and informed administrative process will be in place to take action against employees who have committed an information security breach.", + "Status": "Unknown" + }, + { + "Code": "A.7.3.1 ", + "Section": "Human Resources Security - Termination and change of employment", + "Control": "Termination or change of employment responsibilities", + "Requirements": "Responsibility and information/cyber security requirements that continue to be valid following termination or change of employment must be defined, communicated to, and implemented by the employee or contractor.", + "Status": "Unknown" + }, + { + "Code": "A.8.1.1", + "Section": "Asset Management - Responsibility for assets", + "Control": "Inventory of assets", + "Requirements": "Assets related to information and information facilities of an organization should be identified and listed, inventory of these assets should also be maintained.", + "Status": "Unknown" + }, + { + "Code": "A.8.1.2", + "Section": "Asset Management - Responsibility for assets", + "Control": "Ownership of assets", + "Requirements": "Assets in the inventory should have their owners (Asset-owner)", + "Status": "Unknown" + }, + { + "Code": "A.8.1.3", + "Section": "Asset Management - Responsibility for assets", + "Control": "Acceptable use of assets", + "Requirements": "Rules should be identified, documented, and implemented for the acceptable use of information and assets linked to information and information processing facilities.", + "Status": "Unknown" + }, + { + "Code": "A.8.1.4 ", + "Section": "Asset Management - Responsibility for assets", + "Control": "Return of assets", + "Requirements": "Both workers and external stakeholders must return all the organizational assets in their possession upon termination of their job, contract or agreement", + "Status": "Unknown" + }, + { + "Code": "A.8.2.1 ", + "Section": "Asset Management - Information classification", + "Control": "Classification of information", + "Requirements": "Information should be classification in the basis of their legal provisions, criticality, and vulnerability to unwanted release or alteration", + "Status": "Unknown" + }, + { + "Code": "A.8.2.2 ", + "Section": "Asset Management - Information classification", + "Control": "Labelling of information", + "Requirements": "In accordance with the information classification scheme adopted by the organization, an adequate set of methods for labelling information should be established and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.8.2.3 ", + "Section": "Asset Management - Information classification", + "Control": "Handling of assets", + "Requirements": "Handling of assets in accordance with the organization’s information classification scheme should be developed and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.8.3.1 ", + "Section": "Asset Management - Media handling", + "Control": "Management of removable media", + "Requirements": "Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.", + "Status": "Unknown" + }, + { + "Code": "A.8.3.2 ", + "Section": "Asset Management - Media handling", + "Control": "Disposal of media", + "Requirements": "When not required by specific protocols, media should be disposed of securely.", + "Status": "Unknown" + }, + { + "Code": "A.8.3.3 ", + "Section": "Asset Management - Media handling", + "Control": "Physical media transfer", + "Requirements": "Information media should be protected from unauthorized access, misuse or corruption during transportation.", + "Status": "Unknown" + }, + { + "Code": "A.9.1.1 ", + "Section": "Access Control - Business requirements of access control", + "Control": "Access control policy", + "Requirements": "An access control policy with supporting business and information security requirements should be established, documented, and reviewed.", + "Status": "Unknown" + }, + { + "Code": "A.9.1.2 ", + "Section": "Access Control - Business requirements of access control", + "Control": "Access to networks and network services", + "Requirements": "Only network and network facilities which have expressly been approved for use will be made available to users.", + "Status": "Unknown" + }, + { + "Code": "A.9.2.1 ", + "Section": "Access Control - User access management", + "Control": "User registration and de-registration", + "Requirements": "Only network and network facilities which have expressly been approved for use will be made available to users.", + "Status": "Unknown" + }, + { + "Code": "A.9.2.2 ", + "Section": "Access Control - User access management", + "Control": "User access provisioning", + "Requirements": "A formal process for granting access to users should be put in place to grant or remove access privileges for all categories of users to all systems and services.", + "Status": "Unknown" + }, + { + "Code": "A.9.2.3 ", + "Section": "Access Control - User access management", + "Control": "Management of privileged access rights", + "Requirements": "A structured authorizing procedure in accordance with the appropriate access management policies should monitor the allocation and usage of delegated access privileges.", + "Status": "Unknown" + }, + { + "Code": "A.9.2.4 ", + "Section": "Access Control - User access management", + "Control": "Management of secret authentication information of users", + "Requirements": "A structured management process should control the allocation of secret authentication information.", + "Status": "Unknown" + }, + { + "Code": "A.9.2.5 ", + "Section": "Access Control - User access management", + "Control": "Review of user access rights", + "Requirements": "Access rights of users should be reviewed regularly by asset owners.", + "Status": "Unknown" + }, + { + "Code": "A.9.2.6 ", + "Section": "Access Control - User access management", + "Control": "Removal or adjustment of access rights", + "Requirements": "Access rights of all employees and external users to information and information processing facilities should be waived upon termination of jobs, contract or agreement, or changed upon adjustment.", + "Status": "Unknown" + }, + { + "Code": "A.9.3.1 ", + "Section": "Access Control - User responsibilities", + "Control": "Use of secret authentication information of users", + "Requirements": "Use of secret authentication information should be allowed for users to follow the organization’s practices.", + "Status": "Unknown" + }, + { + "Code": "A.9.4.1 ", + "Section": "Access Control - System and application access control", + "Control": "Information access restriction", + "Requirements": "Access controls should be based on individual requirements for business applications and in compliance with a specified access control policy.", + "Status": "Unknown" + }, + { + "Code": "A.9.4.2 ", + "Section": "Access Control - System and application access control", + "Control": "Secure log-on procedures", + "Requirements": "Access to systems and applications should be controlled by a secure log-on procedure when required by the Access Control Policy.", + "Status": "Unknown" + }, + { + "Code": "A.9.4.3 ", + "Section": "Access Control - System and application access control", + "Control": "Password management system", + "Requirements": "Password management systems should be cooperative to ensure the quality of the passwords.", + "Status": "Unknown" + }, + { + "Code": "A.9.4.4 ", + "Section": "Access Control - System and application access control", + "Control": "Use of privileged utility programs", + "Requirements": "The use of utility programs that could bypass system and application controls should be limited and tightly controlled.", + "Status": "Unknown" + }, + { + "Code": "A.9.4.5 ", + "Section": "Access Control - System and application access control", + "Control": "Access control to program source code", + "Requirements": "Access should be limited to the source code of the program.", + "Status": "Unknown" + }, + { + "Code": "A.10.1.1 ", + "Section": "Cryptography - Cryptographic controls", + "Control": "Policy on the use of cryptographic controls", + "Requirements": "A policy on the use of cryptographic controls for protection of information shall be developed and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.10.1.2 ", + "Section": "Cryptography - Cryptographic controls", + "Control": "Key management", + "Requirements": "A policy on the use, security, and lifetime of cryptographic keys should be created and enforced over their entire life cycle.", + "Status": "Unknown" + }, + { + "Code": "A.11.1.1 ", + "Section": "Physical and Environmental Security - Secure Areas", + "Control": "Physical security perimeter", + "Requirements": "Security perimeters should be established in order to secure areas that contain either sensitive or confidential information and information processing facilities.", + "Status": "Unknown" + }, + { + "Code": "A.11.1.2 ", + "Section": "Physical and Environmental Security - Secure Areas", + "Control": "Physical entry controls", + "Requirements": "Appropriate access controls should protect places to ensure that only authorized employees are allowed access.", + "Status": "Unknown" + }, + { + "Code": "A.11.1.3 ", + "Section": "Physical and Environmental Security - Secure Areas", + "Control": "Securing offices, rooms and facilities", + "Requirements": "Physical security should be designed and implemented for the offices, rooms, and facilities.", + "Status": "Unknown" + }, + { + "Code": "A.11.1.4 ", + "Section": "Physical and Environmental Security - Secure Areas", + "Control": "Protecting against external and environmental threats", + "Requirements": "Physical protection should be designed and applied against natural disasters, malicious attacks or accidents.", + "Status": "Unknown" + }, + { + "Code": "A.11.1.5 ", + "Section": "Physical and Environmental Security - Secure Areas", + "Control": "Working in secure areas", + "Requirements": "Procedures should be designed and implemented for working in safe areas.", + "Status": "Unknown" + }, + { + "Code": "A.11.1.6 ", + "Section": "Physical and Environmental Security - Secure Areas", + "Control": "Delivery and loading areas", + "Requirements": "It is important to track and, where possible, differentiate between access points such as the distribution and loading areas and other locations in order to avoid unauthorized access by unauthorized persons to the premises.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.1 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Equipment siting and protection", + "Requirements": "To mitigate the risk of environmental hazards, risks, and unauthorized access, the equipment should be sited and secured.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.2 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Supporting utilities", + "Requirements": "Equipment should be secured against power failures and other disruptions caused by the supporting infrastructure failures.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.3 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Cabling security", + "Requirements": "Cable for power and telecommunications that carry data or support services should be safeguarded against interception, interference, or damage.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.4 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Equipment maintenance", + "Requirements": "To ensure its continued availability and integrity, the equipment should be correctly maintained.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.5 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Removal of assets", + "Requirements": "Without prior authorization, equipment, information, or software should not be taken off-site.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.6 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Security of equipment and assets off-premises", + "Requirements": "The security of off-site assets should be applied to the various risks of working outside the premises of the organization in mind.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.7 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Secure disposal or re-use of equipment", + "Requirements": "To avoid the removal or overriding of sensitive data and software by the disposal or reuse of any device containing storage medium, all devices must be reviewed.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.8 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Unattended user equipment", + "Requirements": "Unattended equipment should be adequately protected by users.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.9 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Clear desk and clear screen policy", + "Requirements": "A clear desk policy should be adopted for papers and removable storage media and a clear screen policy should be applied to information processing facilities.", + "Status": "Unknown" + }, + { + "Code": "A.12.1.1", + "Section": "Operations security - Operational procedures and responsibilities", + "Control": "Documented operating procedures", + "Requirements": "Operating procedures should be documented and accessed by all users in need.", + "Status": "Unknown" + }, + { + "Code": "A.12.1.2 ", + "Section": "Operations security - Operational procedures and responsibilities", + "Control": "Change management", + "Requirements": "Changes in the organization, organizational procedures, information management facilities, and information security systems should be controlled.", + "Status": "Unknown" + }, + { + "Code": "A.12.1.3 ", + "Section": "Operations security - Operational procedures and responsibilities", + "Control": "Capacity management", + "Requirements": "In order to ensure necessary system performance, the use of resources should be monitored, adapted, and projected based on future capacity requirements.", + "Status": "Unknown" + }, + { + "Code": "A.12.1.4 ", + "Section": "Operations security - Operational procedures and responsibilities", + "Control": "Separation of development, testing and operational environments", + "Requirements": "It is important to define and enforce the degree of separation between organizational, testing and development environments needed to avoid operational problems.", + "Status": "Unknown" + }, + { + "Code": "A.12.2.1 ", + "Section": "Operations security - Protection from malware", + "Control": "Controls against malware", + "Requirements": "In combination with appropriate user awareness, the detection, prevention, and recovery controls to protect against malware should be implemented.", + "Status": "Unknown" + }, + { + "Code": "A.12.3.1 ", + "Section": "Operations security - Backup", + "Control": "Information backup", + "Requirements": "In accordance with the agreed backup policy, copies of records, program and device images shall be collected and regularly tested.", + "Status": "Unknown" + }, + { + "Code": "A.12.4.1 ", + "Section": "Operations security - Logging and monitoring", + "Control": "Event logging", + "Requirements": "Event logs should be produced, retained, and regularly reviewed to record user activities, exceptions, defects, and information security events.", + "Status": "Unknown" + }, + { + "Code": "A.12.4.2 ", + "Section": "Operations security - Logging and monitoring", + "Control": "Protection of log information", + "Requirements": "Logging and log information should be secure from intrusion and unauthorized access.", + "Status": "Unknown" + }, + { + "Code": "A.12.4.3 ", + "Section": "Operations security - Logging and monitoring", + "Control": "Administrator and operator logs", + "Requirements": "The activity of the System Manager and System Operator is to be logged, and the logs kept safe and monitored closely.", + "Status": "Unknown" + }, + { + "Code": "A.12.4.4 ", + "Section": "Operations security - Logging and monitoring", + "Control": "Clock synchronization", + "Requirements": "Clocks in all related information management systems should be integrated into a single reference time source for an organization or safety domain.", + "Status": "Unknown" + }, + { + "Code": "A.12.5.1 ", + "Section": "Operations security - Control of operational software", + "Control": "Installation of software on operational systems", + "Requirements": "To control the installation of software on operating systems, procedures should be implemented.", + "Status": "Unknown" + }, + { + "Code": "A.12.6.1 ", + "Section": "Operations security - Technical Vulnerability Management", + "Control": "Management of technical vulnerabilities", + "Requirements": "Information on technological vulnerabilities of information systems used should be obtained in a timely manner, the exposure of the organization to such vulnerabilities should be assessed and appropriate measures taken to address the risk involved", + "Status": "Unknown" + }, + { + "Code": "A.12.6.2 ", + "Section": "Operations security - Technical Vulnerability Management", + "Control": "Restrictions on software installation", + "Requirements": "Users should set and implement rules governing software installation.", + "Status": "Unknown" + }, + { + "Code": "A.12.7.1 ", + "Section": "Operations security - Information systems audit controls", + "Control": "Information system audit controls", + "Requirements": "The audit criteria and activities related to operating system verification should be carefully prepared and decided in order to reduce business process disturbance.", + "Status": "Unknown" + }, + { + "Code": "A.13.1.1 ", + "Section": "Communications security - Network security management", + "Control": "Network controls", + "Requirements": "To protect information in systems and applications, networks should be managed and monitored.", + "Status": "Unknown" + }, + { + "Code": "A.13.1.2 ", + "Section": "Communications security - Network security management", + "Control": "Security of network services", + "Requirements": "Security protocols, quality of service, and management criteria for all network services, whether in-house or outsourced, should be defined and included in-network services agreements.", + "Status": "Unknown" + }, + { + "Code": "A.13.1.3 ", + "Section": "Communications security - Network security management", + "Control": "Segregation in networks", + "Requirements": "Network segregation should be established for information services, users, and information systems.", + "Status": "Unknown" + }, + { + "Code": "A.13.2.1 ", + "Section": "Communications security - Information transfer", + "Control": "Information transfer policies and procedures", + "Requirements": "In order to protect the transferees by using all types of communication facilities, official transfer policies, procedures and controls should be developed.", + "Status": "Unknown" + }, + { + "Code": "A.13.2.2 ", + "Section": "Communications security - Information transfer", + "Control": "Agreements on information transfer", + "Requirements": "Agreements should address secure transfers between the organization and outside parties of business information.", + "Status": "Unknown" + }, + { + "Code": "A.13.2.3 ", + "Section": "Communications security - Information transfer", + "Control": "Electronic messaging", + "Requirements": "Electronic messaging information should be adequately protected.", + "Status": "Unknown" + }, + { + "Code": "A.13.2.4 ", + "Section": "Communications security - Information transfer", + "Control": "Confidentiality or non-disclosure agreements", + "Requirements": "Information protection requirements of the organization for confidentiality or non-disclosure agreements should be identified, regularly reviewed, and documented.", + "Status": "Unknown" + }, + { + "Code": "A.14.1.1 ", + "Section": "System acquisition, development and maintenance - Security requirements of information systems", + "Control": "Security requirements of information systems", + "Requirements": "Information security requirements for new information systems or enhancements to existing information systems should be included", + "Status": "Unknown" + }, + { + "Code": "A.14.1.2 ", + "Section": "System acquisition, development and maintenance - Security requirements of information systems", + "Control": "Securing application services on public networks", + "Requirements": "Application services which pass through public networks should be protected against fraudulent activities, contract disputes, unauthorized disclosure, and modification.", + "Status": "Unknown" + }, + { + "Code": "A.14.1.3 ", + "Section": "System acquisition, development and maintenance - Security requirements of information systems", + "Control": "Protecting application services transactions", + "Requirements": "In order to avoid incomplete transmission, misrouting, unauthorized messaging modification, unauthorized dissemination, unauthorized message replication, or replay, information concerning application service transactions should be covered.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.1 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "Secure development policy", + "Requirements": "Regulations for software and system development should be laid down and applied to organizational developments.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.2 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "System change control procedures", + "Requirements": "Changes to processes can be managed through the implementation of structured change control procedures within the software lifecycle.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.3 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "Technical review of applications after operating platform changes", + "Requirements": "In changing operating platforms, critical applications of business should be revised and tested to ensure no adverse impacts on business or security.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.4 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "Restrictions on changes to software packages", + "Requirements": "Software package modifications should be discouraged, restricted to the modifications necessary, and all changes controlled strictly.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.5 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "Secure system engineering principles", + "Requirements": "In the implementation of any information system implementation project, standards for secure system engineered must be established, documented, maintained, and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.6 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "Secure development environment", + "Requirements": "Organizations should create secure development environments and integration efforts for the entire life cycle of system development, and should be adequately protected.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.7 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "Outsourced development", + "Requirements": "The organization must monitor activity for the development of the outsourced system.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.8 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "System security testing", + "Requirements": "During development, security functionality test should be conducted.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.9 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "System acceptance testing", + "Requirements": "New information systems, enhancements, and updated versions should be equipped with acceptance testing services and related requirements.", + "Status": "Unknown" + }, + { + "Code": "A.14.3.1 ", + "Section": "System acquisition, development and maintenance - Test data", + "Control": "Protection of test data", + "Requirements": "Careful collection, security, and review of test data should be performed.", + "Status": "Unknown" + }, + { + "Code": "A.15.1.1 ", + "Section": "Supplier relationships - Supplier relationships", + "Control": "Information security policy for supplier relationships", + "Requirements": "The supplier should be agreed with and documented information security requirements related to the risk mitigation of access by suppliers to organizational assets.", + "Status": "Unknown" + }, + { + "Code": "A.15.1.2 ", + "Section": "Supplier relationships - Supplier relationships", + "Control": "Addressing security within supplier agreements", + "Requirements": "Any suppliers that view, process, store, communicate or provide IT infrastructure component information for the organization should be defined and agreed with all applicable information security requirements.", + "Status": "Unknown" + }, + { + "Code": "A.15.1.3 ", + "Section": "Supplier relationships - Supplier relationships", + "Control": "Information and communication technology supply chain", + "Requirements": "Supplier agreements will contain provisions to mitigate information security risks associated with IT Services and the product supply chain.", + "Status": "Unknown" + }, + { + "Code": "A.15.2.1 ", + "Section": "Supplier relationships - Supplier service delivery management", + "Control": "Monitoring and review of supplier services", + "Requirements": "Organizations shall monitor, review and audit the provision of service to suppliers on a regular basis.", + "Status": "Unknown" + }, + { + "Code": "A.15.2.2 ", + "Section": "Supplier relationships - Supplier service delivery management", + "Control": "Managing changes to supplier services", + "Requirements": "Change in the provision of services by providers should be managed with the focus on the criticality of enterprise information, systems, processes, and reassessment of risks and should include maintaining and improving existing information security policies, procedures, and controls.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.1 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Responsibilities and procedures", + "Requirements": "In order to ensure a quick, efficient, and organized response to ISO 27001 Annex : A.16 Information Security Incident Management roles and procedures should be defined.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.2 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Reporting information security events", + "Requirements": "Information security incidents should be reported as quickly as possible through appropriate management channels.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.3 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Reporting information security weaknesses", + "Requirements": "Any information security vulnerabilities found or suspected in systems or services in which employees and contractors are using the information systems and services of the organization should be recorded and documented.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.4 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Assessment of and decision on information security events", + "Requirements": "Information security events should be analyzed and determined whether they should be listed as incidents related to information security.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.5 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Response to information security incidents", + "Requirements": "In the context of the documented procedures, information security incidents should be responded to.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.6 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Learning from information security incidents", + "Requirements": "To minimize the risk or effect of potential accidents, the experience obtained from the study and mitigation of information security accidents should be used.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.7 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Collection of evidence", + "Requirements": "The organization will define, obtain, procure and retain information as documentation and implement procedures.", + "Status": "Unknown" + }, + { + "Code": "A.17.1.1 ", + "Section": "Information security aspects of business continuity management - Information security continuity", + "Control": "Planning information security continuity", + "Requirements": "In adverse circumstances, e.g. during a crisis or a catastrophe, the company will determine the information security standards and consistency of information security management.", + "Status": "Unknown" + }, + { + "Code": "A.17.1.2", + "Section": "Information security aspects of business continuity management - Information security continuity", + "Control": "Implementing information security continuity", + "Requirements": "In order to ensure the necessary degree of consistency of information security to adverse circumstances, the company should define, document, execute, and maintain processes, procedures, and controls.", + "Status": "Unknown" + }, + { + "Code": "A.17.1.3 ", + "Section": "Information security aspects of business continuity management - Information security continuity", + "Control": "Verify, review and evaluate information security continuity", + "Requirements": "In order to ensure accurate and productive to adverse circumstances, the company must review on-going controls on safety information defined and enforced at regular intervals.", + "Status": "Unknown" + }, + { + "Code": "A.17.2.1 ", + "Section": "Information security aspects of business continuity management - Redundancies", + "Control": "Availability of information processing facilities", + "Requirements": "How information processing facilities are implemented with redundancy sufficiency to meet availability requirements. Redundancy refers to implementing, typically, duplicate hardware to ensure availability of information processing systems.", + "Status": "Unknown" + }, + { + "Code": "A.18.1.1 ", + "Section": "Compliance - Compliance with legal and contractual requirements", + "Control": "Identification of applicable legislation and contractual requirements", + "Requirements": "Each of information systems and organizations should specifically identify, document, and update all relevant statutory, regulatory, contractual requirements, and the approach of the organization towards compliance with these requirements.", + "Status": "Unknown" + }, + { + "Code": "A.18.1.2 ", + "Section": "Compliance - Compliance with legal and contractual requirements", + "Control": "Intellectual property rights", + "Requirements": "Proper procedures will be followed to ensure that the legal, regulatory, and contractual provisions relating to ownership of intellectual property and the use of proprietary software products are complied upon.", + "Status": "Unknown" + }, + { + "Code": "A.18.1.3 ", + "Section": "Compliance - Compliance with legal and contractual requirements", + "Control": "Protection of records", + "Requirements": "In accordance with the provisions to legislative, regulatory, contractual, and business requirements, to protect from loss, destruction, falsification, and unauthorized access and unauthorized release.", + "Status": "Unknown" + }, + { + "Code": "A.18.1.4 ", + "Section": "Compliance - Compliance with legal and contractual requirements", + "Control": "Privacy and protection of personally identifiable information", + "Requirements": "Privacy and protection of personal data should be guaranteed, as required, in applicable laws and regulations.", + "Status": "Unknown" + }, + { + "Code": "A.18.1.5 ", + "Section": "Compliance - Compliance with legal and contractual requirements", + "Control": "Regulation of cryptographic controls", + "Requirements": "In accordance with all relevant agreements, legislation, and regulations, cryptographic controls must be used.", + "Status": "Unknown" + }, + { + "Code": "A.18.2.1 ", + "Section": "Compliance - Information security reviews", + "Control": "Independent review of information security", + "Requirements": "Each of these information systems and organizations should specifically identify, document, and update all relevant statutory, regulatory, contractual requirements, and the approach of the organization towards compliance with these requirements.", + "Status": "Unknown" + }, + { + "Code": "A.18.2.2 ", + "Section": "Compliance - Information security reviews", + "Control": "Compliance with security policies and standards", + "Requirements": "Proper procedures will be followed to ensure that the legal, regulatory, and contractual provisions relating to ownership of intellectual property and the use of proprietary software products are complied upon.", + "Status": "Unknown" + }, + { + "Code": "A.18.2.3 ", + "Section": "Compliance - Information security reviews", + "Control": "Technical compliance review", + "Requirements": "Information systems for compliance with the Information Security Policies and practices of an organization should be periodically reviewed.", + "Status": "Unknown" + } +] \ No newline at end of file diff --git a/components/defaultLanding/data/ISO-CSC-controls-2022.json b/components/defaultLanding/data/ISO-CSC-controls-2022.json new file mode 100644 index 00000000..e319b852 --- /dev/null +++ b/components/defaultLanding/data/ISO-CSC-controls-2022.json @@ -0,0 +1,653 @@ +[ + { + "Code": "A.5.1", + "Section": "Organizational controls", + "Control": "Policies for information security", + "Requirements": "A set of policies for information and cybersecurity shall be defined, approved by C-level, published and communicated to employees and relevant external parties.", + "Status": "Unknown" + }, + { + "Code": "A.5.2", + "Section": "Organizational controls", + "Control": "Information security roles and responsibilities", + "Requirements": "All information and cybersecurity roles and responsibilities shall be defined and allocated.", + "Status": "Unknown" + }, + { + "Code": "A.5.3", + "Section": "Organizational controls", + "Control": "Segregation of duties", + "Requirements": "Conflicting tasks and areas of responsibility should be separated to reduce opportunities to change or misuse the assets of the organization without permission or unintended.", + "Status": "Unknown" + }, + { + "Code": "A.5.4", + "Section": "Organizational controls", + "Control": "Management responsibilities", + "Requirements": "Management should mandate all employees and contractors to exercise information security in accordance with established policies and procedures set by the organization.", + "Status": "Unknown" + }, + { + "Code": "A.5.5", + "Section": "Organizational controls", + "Control": "Contact with authorities", + "Requirements": "It is necessary to maintain proper communications with the relevant authorities.", + "Status": "Unknown" + }, + { + "Code": "A.5.6", + "Section": "Organizational controls", + "Control": "Contact with special interest groups", + "Requirements": "Appropriate connections should be established with special interest organizations or other forums for professional security and professional associations.", + "Status": "Unknown" + }, + { + "Code": "A.5.7", + "Section": "Organizational controls", + "Control": "Threat intelligence", + "Requirements": "Collect and analyse information relating to information security threats and use that information take mitigation action.", + "Status": "Unknown" + }, + { + "Code": "A.5.8", + "Section": "Organizational controls", + "Control": "Information security in projectmanagement", + "Requirements": "Throughout project management, the confidentiality of information should be discussed irrespective of project type.", + "Status": "Unknown" + }, + { + "Code": "A.5.9", + "Section": "Organizational controls", + "Control": "Inventory of information and other associated assets", + "Requirements": "Assets related to information and information facilities of an organization should be identified and listed, inventory of these assets should also be maintained. And assets in the inventory should have their owners (Asset-owner).", + "Status": "Unknown" + }, + { + "Code": "A.5.10", + "Section": "Organizational controls", + "Control": "Acceptable use of information and other associated assets", + "Requirements": "Rules should be identified, documented, and implemented for the acceptable use of information and assets linked to information and information processing facilities. Handling of assets in accordance with the organization’s information classification scheme should be developed and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.5.11", + "Section": "Organizational controls", + "Control": "Return of assets", + "Requirements": "Both workers and external stakeholders must return all the organizational assets in their possession upon termination of their job, contract or agreement.", + "Status": "Unknown" + }, + { + "Code": "A.5.12", + "Section": "Organizational controls", + "Control": "Classification of information", + "Requirements": "Information should be classification in the basis of their legal provisions, criticality, and vulnerability to unwanted release or alteration.", + "Status": "Unknown" + }, + { + "Code": "A.5.13", + "Section": "Organizational controls", + "Control": "Labelling of information", + "Requirements": "In accordance with the information classification scheme adopted by the organization, an adequate set of methods for labelling information should be established and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.5.14", + "Section": "Organizational controls", + "Control": "Information transfer", + "Requirements": "In order to protect the transferees by using all types of communication facilities, official transfer policies, procedures and controls should be developed. Agreements sElectronic messaging information should be adequately protected.hould address secure transfers between the organization and outside parties of business information. ", + "Status": "Unknown" + }, + { + "Code": "A.5.15", + "Section": "Organizational controls", + "Control": "Access control", + "Requirements": "An access control policy with supporting business and information security requirements should be established, documented, and reviewed. Only network and network facilities which have expressly been approved for use will be made available to users.", + "Status": "Unknown" + }, + { + "Code": "A.5.16", + "Section": "Organizational controls", + "Control": "Identity management", + "Requirements": "Only network and network facilities which have expressly been approved for use will be made available to users.", + "Status": "Unknown" + }, + { + "Code": "A.5.17", + "Section": "Organizational controls", + "Control": "Authentication information", + "Requirements": "A structured management process should control the allocation of secret authentication information. Use of secret authentication information should be allowed for users to follow the organization’s practices. Password management systems should be cooperative to ensure the quality of the passwords.", + "Status": "Unknown" + }, + { + "Code": "A.5.18", + "Section": "Organizational controls", + "Control": "Access rights", + "Requirements": "A formal process for granting access to users should be put in place to grant or remove access privileges for all categories of users to all systems and services. Access rights of users should be reviewed regularly by asset owners. Access rights of all employees and external users to information and information processing facilities should be waived upon termination of jobs, contract or agreement, or changed upon adjustment.", + "Status": "Unknown" + }, + { + "Code": "A.5.19", + "Section": "Organizational controls", + "Control": "Information security in supplier relationships", + "Requirements": "The supplier should be agreed with and documented information security requirements related to the risk mitigation of access by suppliers to organizational assets.", + "Status": "Unknown" + }, + { + "Code": "A.5.20", + "Section": "Organizational controls", + "Control": "Addressing information security within supplier agreements", + "Requirements": "Any suppliers that view, process, store, communicate or provide IT infrastructure component information for the organization should be defined and agreed with all applicable information security requirements.", + "Status": "Unknown" + }, + { + "Code": "A.5.21", + "Section": "Organizational controls", + "Control": "Managing information security in the information \nand communication technology (ICT) supply-chain", + "Requirements": "Supplier agreements will contain provisions to mitigate information security risks associated with IT Services and the product supply chain.", + "Status": "Unknown" + }, + { + "Code": "A.5.22", + "Section": "Organizational controls", + "Control": "Monitoring, review and change management of supplier services", + "Requirements": "Organizations shall monitor, review and audit the provision of service to suppliers on a regular basis. Change in the provision of services by providers should be managed with the focus on the criticality of enterprise information, systems, processes, and reassessment of risks and should include maintaining and improving existing information security policies, procedures, and controls.", + "Status": "Unknown" + }, + { + "Code": "A.5.23", + "Section": "Organizational controls", + "Control": "Information security for use of cloud services", + "Requirements": "Set security requirements for cloud services in order to have better protection of your information in the cloud. This includes purchasing, using, managing, and terminating the use of cloud services.", + "Status": "Unknown" + }, + { + "Code": "A.5.24", + "Section": "Organizational controls", + "Control": "Information security incident management planning and preparation", + "Requirements": "In order to ensure a quick, efficient, and organized response to Information Security Incident Management roles and procedures should be defined.", + "Status": "Unknown" + }, + { + "Code": "A.5.25", + "Section": "Organizational controls", + "Control": "Assessment and decision on information security events", + "Requirements": "Information security events should be analyzed and determined whether they should be listed as incidents related to information security.", + "Status": "Unknown" + }, + { + "Code": "A.5.26", + "Section": "Organizational controls", + "Control": "Response to information security incidents", + "Requirements": "In the context of the documented procedures, information security incidents should be responded to.", + "Status": "Unknown" + }, + { + "Code": "A.5.27", + "Section": "Organizational controls", + "Control": "Learning from information security incidents", + "Requirements": "To minimize the risk or effect of potential accidents, the experience obtained from the study and mitigation of information security accidents should be used.", + "Status": "Unknown" + }, + { + "Code": "A.5.28", + "Section": "Organizational controls", + "Control": "Collection of evidence", + "Requirements": "The organization will define, obtain, procure and retain information as documentation and implement procedures.", + "Status": "Unknown" + }, + { + "Code": "A.5.29", + "Section": "Organizational controls", + "Control": "Information security during disruption", + "Requirements": "In adverse circumstances, e.g. during a crisis or a catastrophe, the company will determine the information securityIn order to ensure the necessary degree of consistency of information security to adverse circumstances, the company should define, document, execute, and maintain processes, procedures, and controls. standards and consistency of information security management. In order to ensure accurate and productive to adverse circumstances, the company must review on-going controls on safety information defined and enforced at regular intervals.", + "Status": "Unknown" + }, + { + "Code": "A.5.30", + "Section": "Organizational controls", + "Control": "ICT readiness for business continuity", + "Requirements": "Information and communication technology to be ready for potential disruptions so that required information and assets are available when needed. This includes readiness planning, implementation, maintenance, and testing.", + "Status": "Unknown" + }, + { + "Code": "A.5.31", + "Section": "Organizational controls", + "Control": "Legal, statutory, regulatory and contractual requirements", + "Requirements": "Each of information systems and organizations should specifically identify, document, and update all relevant statutory, regulatory, contractual requirements, and the approach of the organization towards compliance with these requirements. In accordance with all relevant agreements, legislation, and regulations, cryptographic controls must be used.", + "Status": "Unknown" + }, + { + "Code": "A.5.32", + "Section": "Organizational controls", + "Control": "Intellectual property rights", + "Requirements": "Proper procedures will be followed to ensure that the legal, regulatory, and contractual provisions relating to ownership of intellectual property and the use of proprietary software products are complied upon.", + "Status": "Unknown" + }, + { + "Code": "A.5.33", + "Section": "Organizational controls", + "Control": "Protection of records", + "Requirements": "In accordance with the provisions to legislative, regulatory, contractual, and business requirements, to protect from loss, destruction, falsification, and unauthorized access and unauthorized release.", + "Status": "Unknown" + }, + { + "Code": "A.5.34", + "Section": "Organizational controls", + "Control": "Privacy and protection of personal identifiable information (PII)", + "Requirements": "Privacy and protection of personal data should be guaranteed, as required, in applicable laws and regulations.", + "Status": "Unknown" + }, + { + "Code": "A.5.35", + "Section": "Organizational controls", + "Control": "Independent review of information security", + "Requirements": "Each of these information systems and organizations should specifically identify, document, and update all relevant statutory, regulatory, contractual requirements, and the approach of the organization towards compliance with these requirements.", + "Status": "Unknown" + }, + { + "Code": "A.5.36", + "Section": "Organizational controls", + "Control": "Compliance with policies, rules and standards for information security", + "Requirements": "Proper procedures will be followed to ensure that the legal, regulatory, and contractual provisions relating to ownership of intellectual property and the use of proprietary software products are complied upon. Information systems for compliance with the Information Security Policies and practices of an organization should be periodically reviewed.", + "Status": "Unknown" + }, + { + "Code": "A.5.37", + "Section": "Organizational controls", + "Control": "Documented operating procedures", + "Requirements": "Operating procedures should be documented and accessed by all users in need.", + "Status": "Unknown" + }, + { + "Code": "A.6.1", + "Section": "People controls", + "Control": "Screening", + "Requirements": "Background verification checks on all job applicants will be performed in compliance with applicable rules, legislation, and ethics and should be proportionate to business criteria, classification of the information to be obtained, and potential risks.", + "Status": "Unknown" + }, + { + "Code": "A.6.2", + "Section": "People controls", + "Control": "Terms and conditions of employment", + "Requirements": "Contract agreements with employees and contractors would set out their responsibility for information security, and hence the responsibility of the company.", + "Status": "Unknown" + }, + { + "Code": "A.6.3", + "Section": "People controls", + "Control": "Information security awareness, education and training", + "Requirements": "All company workers and, where necessary, contractors will receive adequate awareness education and training, as well as daily updates on organizational policies and procedures, as applicable to their job function.", + "Status": "Unknown" + }, + { + "Code": "A.6.4", + "Section": "People controls", + "Control": "Disciplinary process", + "Requirements": "A formal and informed administrative process will be in place to take action against employees who have committed an information security breach.", + "Status": "Unknown" + }, + { + "Code": "A.6.5", + "Section": "People controls", + "Control": "Responsibilities after termination or change of employment", + "Requirements": "Responsibility and information/cyber security requirements that continue to be valid following termination or change of employment must be defined, communicated to, and implemented by the employee or contractor.", + "Status": "Unknown" + }, + { + "Code": "A.6.6", + "Section": "People controls", + "Control": "Confidentiality or non-disclosure agreements", + "Requirements": "Information protection requirements of the organization for confidentiality or non-disclosure agreements should be identified, regularly reviewed, and documented.", + "Status": "Unknown" + }, + { + "Code": "A.6.7", + "Section": "People controls", + "Control": "Remote working", + "Requirements": "To guard the accessed, processed, or stored information at remote sites, a policy and supporting security measures should be implemented.", + "Status": "Unknown" + }, + { + "Code": "A.6.8", + "Section": "People controls", + "Control": "Information security event reporting", + "Requirements": "Information security incidents should be reported as quickly as possible through appropriate management channels. Any information security vulnerabilities found or suspected in systems or services in which employees and contractors are using the information systems and services of the organization should be recorded and documented.", + "Status": "Unknown" + }, + { + "Code": "A.7.1", + "Section": "Physical controls", + "Control": "Physical security perimeters", + "Requirements": "Security perimeters should be established in order to secure areas that contain either sensitive or confidential information and information processing facilities.", + "Status": "Unknown" + }, + { + "Code": "A.7.2", + "Section": "Physical controls", + "Control": "Physical entry", + "Requirements": "Appropriate access controls should protect places to ensure that only authorized employees are allowed access. It is important to track and, where possible, differentiate between access points such as the distribution and loading areas and other locations in order to avoid unauthorized access by unauthorized persons to the premises.", + "Status": "Unknown" + }, + { + "Code": "A.7.3", + "Section": "Physical controls", + "Control": "Securing offices, rooms and facilities", + "Requirements": "Physical security should be designed and implemented for the offices, rooms, and facilities.", + "Status": "Unknown" + }, + { + "Code": "A.7.4", + "Section": "Physical controls", + "Control": "Physical security monitoring", + "Requirements": "Monitor sensitive areas in order to enable only authorized people to access them. This might include your offices, production facilities, warehouses, and other premises.", + "Status": "Unknown" + }, + { + "Code": "A.7.5", + "Section": "Physical controls", + "Control": "Protecting against physical and environmental threats", + "Requirements": "Physical protection should be designed and applied against natural disasters, malicious attacks or accidents.", + "Status": "Unknown" + }, + { + "Code": "A.7.6", + "Section": "Physical controls", + "Control": "Working in secure areas", + "Requirements": "Procedures should be designed and implemented for working in safe areas.", + "Status": "Unknown" + }, + { + "Code": "A.7.7", + "Section": "Physical controls", + "Control": "Clear desk and clear screen", + "Requirements": "A clear desk policy should be adopted for papers and removable storage media and a clear screen policy should be applied to information processing facilities.", + "Status": "Unknown" + }, + { + "Code": "A.7.8", + "Section": "Physical controls", + "Control": "Equipment siting and protection", + "Requirements": "To mitigate the risk of environmental hazards, risks, and unauthorized access, the equipment should be sited and secured.", + "Status": "Unknown" + }, + { + "Code": "A.7.9", + "Section": "Physical controls", + "Control": "Security of assets off-premises", + "Requirements": "The security of off-site assets should be applied to the various risks of working outside the premises of the organization in mind.", + "Status": "Unknown" + }, + { + "Code": "A.7.10", + "Section": "Physical controls", + "Control": "Storage media", + "Requirements": "Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. When not required by specific protocols, media should be disposed of securely. Information media should be protected from unauthorized access, misuse or corruption during transportation. Without prior authorization, equipment, information, or software should not be taken off-site.", + "Status": "Unknown" + }, + { + "Code": "A.7.11", + "Section": "Physical controls", + "Control": "Supporting utilities", + "Requirements": "Equipment should be secured against power failures and other disruptions caused by the supporting infrastructure failures.", + "Status": "Unknown" + }, + { + "Code": "A.7.12", + "Section": "Physical controls", + "Control": "Cabling security", + "Requirements": "Cable for power and telecommunications that carry data or support services should be safeguarded against interception, interference, or damage.", + "Status": "Unknown" + }, + { + "Code": "A.7.13", + "Section": "Physical controls", + "Control": "Equipment maintenance", + "Requirements": "To ensure its continued availability and integrity, the equipment should be correctly maintained.", + "Status": "Unknown" + }, + { + "Code": "A.7.14", + "Section": "Physical controls", + "Control": "Secure disposal or re-use of equipment", + "Requirements": "To avoid the removal or overriding of sensitive data and software by the disposal or reuse of any device containing storage medium, all devices must be reviewed.", + "Status": "Unknown" + }, + { + "Code": "A.8.1", + "Section": "Technological controls", + "Control": "User end point devices", + "Requirements": "To manage the risks introduced by the use of mobile devices, a policy and supporting safety measures should be adopted. Unattended equipment should be adequately protected by users.", + "Status": "Unknown" + }, + { + "Code": "A.8.2", + "Section": "Technological controls", + "Control": "Privileged access rights", + "Requirements": "A structured authorizing procedure in accordance with the appropriate access management policies should monitor the allocation and usage of delegated access privileges.", + "Status": "Unknown" + }, + { + "Code": "A.8.3", + "Section": "Technological controls", + "Control": "Information access restriction", + "Requirements": "Access controls should be based on individual requirements for business applications and in compliance with a specified access control policy.", + "Status": "Unknown" + }, + { + "Code": "A.8.4", + "Section": "Technological controls", + "Control": "Access to source code", + "Requirements": "Access should be limited to the source code of the program.", + "Status": "Unknown" + }, + { + "Code": "A.8.5", + "Section": "Technological controls", + "Control": "Secure authentication", + "Requirements": "Access to systems and applications should be controlled by a secure log-on procedure when required by the Access Control Policy.", + "Status": "Unknown" + }, + { + "Code": "A.8.6", + "Section": "Technological controls", + "Control": "Capacity management", + "Requirements": "In order to ensure necessary system performance, the use of resources should be monitored, adapted, and projected based on future capacity requirements.", + "Status": "Unknown" + }, + { + "Code": "A.8.7", + "Section": "Technological controls", + "Control": "Protection against malware", + "Requirements": "In combination with appropriate user awareness, the detection, prevention, and recovery controls to protect against malware should be implemented.", + "Status": "Unknown" + }, + { + "Code": "A.8.8", + "Section": "Technological controls", + "Control": "Management of technical vulnerabilities", + "Requirements": "Information on technological vulnerabilities of information systems used should be obtained in a timely manner, the exposure of the organization to such vulnerabilities should be assessed and appropriate measures taken to address the risk involved. Information systems for compliance with the Information Security Policies and practices of an organization should be periodically reviewed.", + "Status": "Unknown" + }, + { + "Code": "A.8.9", + "Section": "Technological controls", + "Control": "Configuration management", + "Requirements": "Manage the whole cycle of security configuration for your technology to ensure a proper level of security and to avoid any unauthorized changes. This includes configuration definition, implementation, monitoring, and review.", + "Status": "Unknown" + }, + { + "Code": "A.8.10", + "Section": "Technological controls", + "Control": "Information deletion", + "Requirements": "Delete data when no longer required, in order to avoid leakage of sensitive information and to enable compliance with privacy and other requirements. This could include deletion in your IT systems, removable media, or cloud services.", + "Status": "Unknown" + }, + { + "Code": "A.8.11", + "Section": "Technological controls", + "Control": "Data masking", + "Requirements": "Use data masking together with access control in order to limit the exposure of sensitive information. This primarily means personal data, because they are heavily regulated through privacy regulations, but it could also include other categories of sensitive data.", + "Status": "Unknown" + }, + { + "Code": "A.8.12", + "Section": "Technological controls", + "Control": "Data leakage prevention", + "Requirements": "Apply various data leakage measures in order to avoid unauthorized disclosure of sensitive information, and if such incidents happen, to detect them in a timely manner. This includes information in IT systems, networks, or any devices.", + "Status": "Unknown" + }, + { + "Code": "A.8.13", + "Section": "Technological controls", + "Control": "Information backup", + "Requirements": "In accordance with the agreed backup policy, copies of records, program and device images shall be collected and regularly tested.", + "Status": "Unknown" + }, + { + "Code": "A.8.14", + "Section": "Technological controls", + "Control": "Redundancy of information processing facilities", + "Requirements": "How information processing facilities are implemented with redundancy sufficiency to meet availability requirements. Redundancy refers to implementing, typically, duplicate hardware to ensure availability of information processing systems.", + "Status": "Unknown" + }, + { + "Code": "A.8.15", + "Section": "Technological controls", + "Control": "Logging", + "Requirements": "Event logs should be produced, retained, and regularly reviewed to record user activities, exceptions, defects, and information security events. Logging and log information should be secure from intrusion and unauthorized access. The activity of the System Manager and System Operator is to be logged, and the logs kept safe and monitored closely.", + "Status": "Unknown" + }, + { + "Code": "A.8.16", + "Section": "Technological controls", + "Control": "Monitoring activities", + "Requirements": "Monitor systems in order to recognize unusual activities and, if needed, to activate the appropriate incident response. This includes monitoring of your IT systems, networks, and applications.", + "Status": "Unknown" + }, + { + "Code": "A.8.17", + "Section": "Technological controls", + "Control": "Clock synchronization", + "Requirements": "Clocks in all related information management systems should be integrated into a single reference time source for an organization or safety domain.", + "Status": "Unknown" + }, + { + "Code": "A.8.18", + "Section": "Technological controls", + "Control": "Use of privileged utility programs", + "Requirements": "The use of utility programs that could bypass system and application controls should be limited and tightly controlled.", + "Status": "Unknown" + }, + { + "Code": "A.8.19", + "Section": "Technological controls", + "Control": "Installation of software on operational systems", + "Requirements": "To control the installation of software on operating systems, procedures should be implemented. Users should set and implement rules governing software installation.", + "Status": "Unknown" + }, + { + "Code": "A.8.20", + "Section": "Technological controls", + "Control": "Networks security", + "Requirements": "To protect information in systems and applications, networks should be managed and monitored.", + "Status": "Unknown" + }, + { + "Code": "A.8.21", + "Section": "Technological controls", + "Control": "Security of network services", + "Requirements": "Security protocols, quality of service, and management criteria for all network services, whether in-house or outsourced, should be defined and included in-network services agreements.", + "Status": "Unknown" + }, + { + "Code": "A.8.22", + "Section": "Technological controls", + "Control": "Segregation of networks", + "Requirements": "Network segregation should be established for information services, users, and information systems.", + "Status": "Unknown" + }, + { + "Code": "A.8.23", + "Section": "Technological controls", + "Control": "Web filtering", + "Requirements": "Manage which websites users are accessing, in order to protect your IT systems. This way, you can prevent your systems from being compromised by malicious code, and also prevent users from using illegal materials from the Internet.", + "Status": "Unknown" + }, + { + "Code": "A.8.24", + "Section": "Technological controls", + "Control": "Use of cryptography", + "Requirements": "A policy on the use of cryptographic controls for protection of information shall be developed and implemented. A policy on the use, security, and lifetime of cryptographic keys should be created and enforced over their entire life cycle.", + "Status": "Unknown" + }, + { + "Code": "A.8.25", + "Section": "Technological controls", + "Control": "Secure development life cycle", + "Requirements": "Changes to processes can be managed through the implementation of structured change control procedures within the software lifecycle.", + "Status": "Unknown" + }, + { + "Code": "A.8.26", + "Section": "Technological controls", + "Control": "Application security requirements", + "Requirements": "Application services which pass through public networks should be protected against fraudulent activities, contract disputes, unauthorized disclosure, and modification. In order to avoid incomplete transmission, misrouting, unauthorized messaging modification, unauthorized dissemination, unauthorized message replication, or replay, information concerning application service transactions should be covered.", + "Status": "Unknown" + }, + { + "Code": "A.8.27", + "Section": "Technological controls", + "Control": "Secure system architecture and engineering principles", + "Requirements": "In the implementation of any information system implementation project, standards for secure system engineered must be established, documented, maintained, and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.8.28", + "Section": "Technological controls", + "Control": "Secure coding", + "Requirements": "Establish secure coding principles and apply them to your software development in order to reduce security vulnerabilities in the software. This could include activities before, during, and after the coding.", + "Status": "Unknown" + }, + { + "Code": "A.8.29", + "Section": "Technological controls", + "Control": "Security testing in development and acceptance", + "Requirements": "During development, security functionality test should be conducted. New information systems, enhancements, and updated versions should be equipped with acceptance testing services and related requirements.", + "Status": "Unknown" + }, + { + "Code": "A.8.30", + "Section": "Technological controls", + "Control": "Outsourced development", + "Requirements": "The organization must monitor activity for the development of the outsourced system.", + "Status": "Unknown" + }, + { + "Code": "A.8.31", + "Section": "Technological controls", + "Control": "Separation of development, test and production environments", + "Requirements": "It is important to define and enforce the degree of separation between organizational, testing and development environments needed to avoid operational problems. Organizations should create secure development environments and integration efforts for the entire life cycle of system development, and should be adequately protected.", + "Status": "Unknown" + }, + { + "Code": "A.8.32", + "Section": "Technological controls", + "Control": "Change management", + "Requirements": "Changes in the organization, organizational procedures, information management facilities, and information security systems should be controlled. Changes to processes can be managed through the implementation of structured change control procedures within the software lifecycle. In changing operating platforms, critical applications of business should be revised and tested to ensure no adverse impacts on business or security. Software package modifications should be discouraged, restricted to the modifications necessary, and all changes controlled strictly.", + "Status": "Unknown" + }, + { + "Code": "A.8.33", + "Section": "Technological controls", + "Control": "Test information", + "Requirements": "Careful collection, security, and review of test data should be performed.", + "Status": "Unknown" + }, + { + "Code": "A.8.34", + "Section": "Technological controls", + "Control": "Protection of information systems during audit testing", + "Requirements": "The audit criteria and activities related to operating system verification should be carefully prepared and decided in order to reduce business process disturbance.", + "Status": "Unknown" + } +] \ No newline at end of file diff --git a/components/defaultLanding/data/configs/csc.ts b/components/defaultLanding/data/configs/csc.ts index f7df4439..bf892ae7 100644 --- a/components/defaultLanding/data/configs/csc.ts +++ b/components/defaultLanding/data/configs/csc.ts @@ -1,7 +1,18 @@ //import json from "../../../data/MVPS-controls.json"; -import json from '../MVPS-controls.json'; +import defaultJson from '../MVPS-controls.json'; +import iso2013Json from '../ISO-CSC-controls-2013.json' +import iso2022Json from '../ISO-CSC-controls-2022.json' + +import { Control, IsoControlMap, Section } from 'types'; + +// const controls = json['MVPS-Controls']; + +const controls = { + '2013': iso2013Json, + '2022': iso2022Json, + 'default': defaultJson["MVPS-Controls"] +} -const controls = json['MVPS-Controls']; const sections = [ { @@ -22,6 +33,12 @@ const sections = [ }, ]; +const isoOptions = [ + { label: 'ISO/IEC 27001:2013', value: '2013' }, + { label: 'ISO/IEC 27001:2022', value: '2022' }, + { label: 'MVSP v1.0-20211007', value: 'default' } +] + const perPageOptions: { label: string; value: number }[] = [ { label: '5', @@ -45,17 +62,113 @@ const perPageOptions: { label: string; value: number }[] = [ }, ]; -const controlOptions = controls.map( - ({ Code, Control, Requirements, Section }) => ({ - label: Control, - value: { - code: Code, - control: Control, - requirements: Requirements, - section: Section, - }, - }) -); +// const controlOptions = controls.map( +// ({ Code, Control, Requirements, Section }) => ({ +// label: Control, +// value: { +// code: Code, +// control: Control, +// requirements: Requirements, +// section: Section, +// }, +// }) +// ); + +const trimToSecondDot = (inputString: string): string => inputString.split('.').slice(0, 2).join('.'); + +const getSectionsLabels = (iso: string) => { + if (iso !== "2013") { + return getSections(iso).map(({ label }) => label) + } + + //For ISO 2013 we should merge the sections because of their big amount + const labelSet = new Set(); + controls[iso].forEach(item => { + labelSet.add(trimToSecondDot(item.Code)); + }); + + const sections = (Array.from(labelSet) as string[]) + .map((label: string) => label + " " + controls[iso].find(({ Code }) => Code.includes(label))?.Section.split(" - ")[0]) + + return sections +} + +const getControlOptions = (iso: string) => controls[iso].map(({ Code, Control, Requirements, Section }) => ({ + label: `${Code}: ${Section}, ${Control}`, + value: { + code: Code, + control: Control, + requirements: Requirements, + section: Section + } +})) + +const mergePoints = (d) => { + const merged = [ + d[0], + (d[1] + d[2]) / 2, + (d[3] + d[4] + d[5]) / 3, + (d[6] + d[7] + d[8]) / 3, + (d[9] + d[10] + d[11] + d[12]) / 4, + d[13], + (d[14] + d[15]) / 2, + (d[16] + d[17] + d[18] + d[19] + d[20] + d[21] + d[22]) / 7, + (d[23] + d[24]) / 2, + (d[25] + d[26] + d[27]) / 3, + (d[28] + d[29]) / 2, + d[30], + (d[31] + d[32]) / 2, + (d[33] + d[34]) / 2, + ] + + const rounded = merged.map(value => Math.round(value)) + + return rounded +} + +const getRadarChartLabels = (iso: string) => { + const labels = getSectionsLabels(iso) + return labels.map(label => label.split(" ")) +} + +const getSections = (iso: string): Section[] => { + const sectionSet = new Set(); + + if (controls[iso]) { + controls[iso].forEach((item) => { + sectionSet.add(item.Section); + }); + } + + const sections: Section[] = Array.from(sectionSet).map((section) => ({ + label: section, + value: section, + })); + + return sections; +} + +const getSectionFilterOptions = (iso: string) => { + if (iso !== '2013') { + return getSections(iso) + } + + const labels = getSectionsLabels(iso) + const options = labels.map(label => ({ + label, + value: removeBeforeFirstSpace(label) + })) + + return options +} + +const removeBeforeFirstSpace = (string) => { + const parts = string.split(' '); + if (parts.length > 1) { + return parts.slice(1).join(' '); + } + return string; +} const statusOptions: { label: string; value: number }[] = [ { @@ -159,10 +272,14 @@ const colourStyles = { export { colourStyles, - controlOptions, + mergePoints, + getRadarChartLabels, + getControlOptions, + getSections, + getSectionFilterOptions, statusOptions, - json, sections, perPageOptions, controls, + isoOptions }; diff --git a/components/interfaces/CSC/RadarChart.tsx b/components/interfaces/CSC/RadarChart.tsx index f6dbdc77..f6ca7d5f 100644 --- a/components/interfaces/CSC/RadarChart.tsx +++ b/components/interfaces/CSC/RadarChart.tsx @@ -9,7 +9,8 @@ import { Legend, } from "chart.js"; import { Radar } from "react-chartjs-2"; -import { sections, controls, statusOptions } from "@/components/defaultLanding/data/configs/csc"; +//TODO: GETSECTIONS INSTEAD OF SECTIONS +import { sections, controls, statusOptions, getRadarChartLabels, mergePoints, getSections } from "@/components/defaultLanding/data/configs/csc"; ChartJS.register( RadialLinearScale, @@ -20,33 +21,80 @@ ChartJS.register( Legend ); -const getMaturityLevels = (statuses: { [key: string]: string; }) => { - if (typeof statusOptions === "undefined") { - return - } - const data = sections - .map(({ label }) => label) - .map((label) => { - const totalControls = controls - .filter(({ Section }) => Section === label) - .map(({ Control }) => Control); - const totalControlsValue = totalControls.reduce( - (accumulator, control) => - statusOptions.find(({ label }) => label === statuses[control])?.value! + accumulator, - 0 - ); - return totalControlsValue / totalControls.length; - }); - const roundedData = data.map((value) => Math.round(value)); - return roundedData; +// const mergeSections = (sections, points) => { +// const mergedSections = {}; +// const mergedPoints = []; + +// for (let i = 0; i < sections.length; i++) { +// const sectionLabel = sections[i].label; +// const sectionKey = sectionLabel.split(' - ')[0]; + +// if (!mergedSections[sectionKey]) { +// mergedSections[sectionKey] = { +// label: sectionKey, +// value: sectionKey, +// }; +// mergedPoints.push(0); +// } + +// mergedPoints[sections.indexOf(sections[i])] += points[i]; +// } + +// mergedPoints.filter(points => !isNaN(points)) + +// return mergedPoints; +// } + + +const getMaturityLevels = (statuses: { [key: string]: string; }, ISO: string) => { + const sections = getSections(ISO) + const data = sections + .map(({ label }) => label) + .map(label => { + const totalControls = controls[ISO] + .filter(({ Section }) => Section === label) + .map(({ Control }) => Control) + console.log('totalControls', {totalControls, statusOptions, statuses}) + const totalControlsValue = totalControls.reduce((accumulator, control) => (statusOptions.find(({ label }) => label === statuses[control])?.value || 0 )+ accumulator, 0); + return totalControlsValue / totalControls.length + }) + const roundedData = data.map(value => Math.round(value)) + + if (ISO != '2013') { + return roundedData + } else { + const mergedPoints = mergePoints(roundedData) + console.log('mergedPoints', {mergedPoints, roundedData}) + return mergedPoints + } + // if (typeof statusOptions === "undefined") { + // return + // } + // const data = sections + // .map(({ label }) => label) + // .map((label) => { + // const totalControls = controls[ISO] + // .filter(({ Section }) => Section === label) + // .map(({ Control }) => Control); + // const totalControlsValue = totalControls.reduce( + // (accumulator, control) => + // statusOptions.find(({ label }) => label === statuses[control])?.value! + accumulator, + // 0 + // ); + // return totalControlsValue / totalControls.length; + // }); + // const roundedData = data.map((value) => Math.round(value)); + // return roundedData; }; const RadarChart = ({ - statuses + statuses, + ISO }: { - statuses: { [key: string]: string; } + statuses: { [key: string]: string; }; + ISO: string }) => { - getMaturityLevels(statuses); + //getMaturityLevels(statuses); const options = { plugins: { legend: { @@ -63,18 +111,19 @@ const RadarChart = ({ responsive: true }; const data = { - labels: sections.map(({ label }) => label).map((label) => label.split(" ")), + // labels: sections.map(({ label }) => label).map((label) => label.split(" ")), + labels: getRadarChartLabels(ISO), datasets: [ { label: "Maturity level from 0 to 6", - data: getMaturityLevels(statuses), + data: getMaturityLevels(statuses, ISO), backgroundColor: "rgba(255, 99, 132, 0.2)", borderColor: "rgba(255, 99, 132, 1)", borderWidth: 1, }, ], }; - return ; + return ; }; export default RadarChart; diff --git a/components/interfaces/CSC/SectionFilter.tsx b/components/interfaces/CSC/SectionFilter.tsx index 938e11b3..bce0b55b 100644 --- a/components/interfaces/CSC/SectionFilter.tsx +++ b/components/interfaces/CSC/SectionFilter.tsx @@ -1,11 +1,13 @@ import React, {Dispatch, SetStateAction} from "react"; import Select from "@atlaskit/select"; -import { sections } from "@/components/defaultLanding/data/configs/csc"; +import { getSectionFilterOptions } from "@/components/defaultLanding/data/configs/csc"; import { WithoutRing } from "sharedStyles"; const SectionFilter = ({ + ISO, setSectionFilter }: { + ISO: string; setSectionFilter: Dispatch> }) => { return ( @@ -15,7 +17,7 @@ const SectionFilter = ({ inputId="multi-select-section-filter" className="multi-select" classNamePrefix="react-select" - options={sections} + options={getSectionFilterOptions(ISO)} onChange={(value) => { setSectionFilter([...value]); }} diff --git a/components/interfaces/CSC/StatusSelector.tsx b/components/interfaces/CSC/StatusSelector.tsx index 2a63c63b..41c86777 100644 --- a/components/interfaces/CSC/StatusSelector.tsx +++ b/components/interfaces/CSC/StatusSelector.tsx @@ -1,4 +1,4 @@ -import React, { useState } from "react"; +import React, { useEffect, useState } from "react"; import Select from "@atlaskit/select"; import { statusOptions, colourStyles } from "@/components/defaultLanding/data/configs/csc"; import { WithoutRing } from "sharedStyles"; @@ -13,6 +13,11 @@ const StatusSelector = ({ handler: (control: string, value: string) => Promise; }) => { const [value, setValue] = useState(statusValue); + + useEffect(() => { + setValue(statusValue) + }, [statusValue]) + return ( + {isoOptions.map((option, index) => ( + + ))} + + + + + + + + + ); +}; + +export default CSCSettings; diff --git a/components/team/index.ts b/components/team/index.ts index b5a4b303..a4ec334b 100644 --- a/components/team/index.ts +++ b/components/team/index.ts @@ -5,3 +5,4 @@ export { default as Members } from './Members'; export { default as RemoveTeam } from './RemoveTeam'; export { default as TeamSettings } from './TeamSettings'; export { default as Billing } from './Billing'; +export { default as CSCSettings } from './CSCSettings'; diff --git a/hooks/useISO.ts b/hooks/useISO.ts new file mode 100644 index 00000000..f309daa9 --- /dev/null +++ b/hooks/useISO.ts @@ -0,0 +1,46 @@ +import { getAxiosError } from '@/lib/common'; +import axios from 'axios'; +import type { Team } from '@prisma/client'; +import { useEffect, useState } from 'react'; +import toast from 'react-hot-toast'; +import { useTranslation } from 'next-i18next'; +import type { ApiResponse } from 'types'; + + +const useISO = (team: any) => { + const [ISO, setISO] = useState(null) + const { t } = useTranslation('common'); + + useEffect(() => { + const asyncEffect = async () => { + console.log('useISO async effect', team) + if (!team) { + return + } + const iso = team?.properties?.csc_iso + if (iso) { + setISO(iso) + } else { + try { + const response = await axios.get>( + `/api/teams/${team.slug}/csc/iso` + ); + + const { data: iso } = response.data; + if (iso) { + setISO(iso) + } + } catch (error) { + toast.error(getAxiosError(error)); + } + } + } + asyncEffect() + }, [team]) + + return { + ISO + }; +}; + +export default useISO; diff --git a/hooks/usePagination.ts b/hooks/usePagination.ts index 03304761..ce8e5a3c 100644 --- a/hooks/usePagination.ts +++ b/hooks/usePagination.ts @@ -13,6 +13,8 @@ interface PaginationResult { const usePagination = (data: T[], perPage: number): PaginationResult => { const [currentPage, setCurrentPage] = useState(1); + console.log('usePagination data', data) + const totalPages = Math.ceil(data.length / perPage); const startIndex = (currentPage - 1) * perPage; diff --git a/hooks/useTeam.ts b/hooks/useTeam.ts index 2c64e9da..748816cb 100644 --- a/hooks/useTeam.ts +++ b/hooks/useTeam.ts @@ -1,7 +1,7 @@ import fetcher from '@/lib/fetcher'; import type { Team } from '@prisma/client'; import { useRouter } from 'next/router'; -import useSWR from 'swr'; +import useSWR, { mutate } from 'swr'; import type { ApiResponse } from 'types'; const useTeam = (slug?: string) => { @@ -14,10 +14,15 @@ const useTeam = (slug?: string) => { fetcher ); + const mutateTeam = async () => { + mutate(`/api/teams/${teamSlug}`); + }; + return { isLoading, isError: error, team: data?.data, + mutateTeam }; }; diff --git a/lib/csc.ts b/lib/csc.ts index c7d41e74..5a21c59d 100644 --- a/lib/csc.ts +++ b/lib/csc.ts @@ -1,13 +1,24 @@ import { prisma } from '@/lib/prisma'; import type { Session } from 'next-auth'; +export const getCscControlsProp = (ISO: string) => { + const cscStatusesProp = `csc_controls${ISO !== 'default' ? `_${ISO}` : ''}`; + return cscStatusesProp +} + +export const getCscStatusesProp = (ISO: string) => { + const cscStatusesProp = `csc_statuses${ISO !== 'default' ? `_${ISO}` : ''}`; + return cscStatusesProp +} + export const addControlsToIssue = async (params: { user: Session['user']; taskNumber: number; slug: string; controls: string[]; + ISO: string; }) => { - const { taskNumber, slug, controls, user } = params; + const { taskNumber, slug, controls, user, ISO } = params; const task = await prisma.task.findFirst({ where: { taskNumber, @@ -21,16 +32,17 @@ export const addControlsToIssue = async (params: { return null; } + const cscStatusesProp = getCscControlsProp(ISO) const taskId = task.id; const taskProperties = task?.properties as any; - let csc_controls = taskProperties?.csc_controls; + let csc_controls = taskProperties?.[cscStatusesProp]; if (typeof csc_controls === 'undefined') { csc_controls = [...controls]; } else { csc_controls = [...csc_controls, ...controls]; } - taskProperties.csc_controls = csc_controls; + taskProperties[cscStatusesProp] = csc_controls; await prisma.task.update({ where: { @@ -59,8 +71,9 @@ export const removeControlsFromIssue = async (params: { taskNumber: number; slug: string; controls: string[]; + ISO: string; }) => { - const { taskNumber, slug, controls, user } = params; + const { taskNumber, slug, controls, user, ISO } = params; const task = await prisma.task.findFirst({ where: { taskNumber, @@ -74,13 +87,14 @@ export const removeControlsFromIssue = async (params: { return null; } + const cscStatusesProp = getCscControlsProp(ISO) const taskId = task.id; const taskProperties = task?.properties as any; - const csc_controls = taskProperties?.csc_controls as Array; + const csc_controls = taskProperties?.[cscStatusesProp] as Array; const new_csc_controls = csc_controls.filter( (item) => !controls.includes(item) ); - taskProperties.csc_controls = new_csc_controls; + taskProperties[cscStatusesProp] = new_csc_controls; await prisma.task.update({ where: { @@ -109,8 +123,9 @@ export const changeControlInIssue = async (params: { taskNumber: number; slug: string; controls: string[]; + ISO: string; }) => { - const { taskNumber, slug, controls, user } = params; + const { taskNumber, slug, controls, user, ISO } = params; const [oldControl, newControl] = controls; const task = await prisma.task.findFirst({ where: { @@ -125,9 +140,10 @@ export const changeControlInIssue = async (params: { return null; } + const cscStatusesProp = getCscControlsProp(ISO) const taskId = task.id; const taskProperties = task?.properties as any; - const csc_controls = taskProperties?.csc_controls as Array; + const csc_controls = taskProperties?.[cscStatusesProp] as Array; const new_csc_controls = csc_controls.map((control) => { if (control === oldControl) { @@ -137,7 +153,7 @@ export const changeControlInIssue = async (params: { } }); - taskProperties.csc_controls = new_csc_controls; + taskProperties[cscStatusesProp] = new_csc_controls; await prisma.task.update({ where: { diff --git a/locales/en/common.json b/locales/en/common.json index 281c66fb..9f4c01a8 100644 --- a/locales/en/common.json +++ b/locales/en/common.json @@ -200,6 +200,8 @@ "all-tasks": "All Tasks", "create": "Create", "csc": "Cybersecurity Management System", + "csc-choose-iso": "Framework controls", + "csc-settings": "Cybersecurity Settings", "rpa": "Register of Procedures", "rpa-activities": "Record of Processing Activities", "rpa-dpo": "Data Protection Officer (DPO)", diff --git a/models/team.ts b/models/team.ts index 145ab5ba..5c2221a5 100644 --- a/models/team.ts +++ b/models/team.ts @@ -1,11 +1,13 @@ import json from '@/components/defaultLanding/data/MVPS-controls.json'; import { prisma } from '@/lib/prisma'; +import { getCscStatusesProp } from '@/lib/csc'; import { getSession } from '@/lib/session'; import { findOrCreateApp } from '@/lib/svix'; import { Role } from '@prisma/client'; +import { controls } from '@/components/defaultLanding/data/configs/csc'; import type { NextApiRequest, NextApiResponse } from 'next'; -const controls = json['MVPS-Controls']; +// const controls = json['MVPS-Controls']; export const createTeam = async (param: { userId: string; @@ -240,7 +242,7 @@ export const incrementTaskIndex = async (teamId: string) => { console.error(error); } }; - +//TODO: should delete export const getTeamPropertiesBySlug = async (slug: string) => { const team = await prisma.team.findUnique({ where: { @@ -255,7 +257,7 @@ export const getTeamPropertiesBySlug = async (slug: string) => { }; export const getCscStatusesBySlug = async (slug: string) => { - const team = await prisma.team.findUnique({ + const team = await prisma.team.findUniqueOrThrow({ where: { slug: slug, }, @@ -264,20 +266,26 @@ export const getCscStatusesBySlug = async (slug: string) => { }, }); - const teamProperties = team?.properties as any; + const teamProperties: any = team ? team.properties : {}; + const iso = teamProperties.csc_iso + const cscStatusesProp = getCscStatusesProp(iso) - if (teamProperties?.csc_statuses) { - return teamProperties?.csc_statuses; + console.log('cscStatusesProp', {cscStatusesProp, teamProperties}) + + if (teamProperties[cscStatusesProp]) { + console.log('return team properties', teamProperties[cscStatusesProp]) + return teamProperties[cscStatusesProp]; } - const initial = {} as any; - controls.forEach((control) => (initial[control.Control] = 'Unknown')); + const initial = {}; + controls[iso].forEach((control) => (initial[control.Control] = 'Unknown')); await prisma.team.update({ where: { slug: slug }, data: { properties: { - csc_statuses: initial, + ...teamProperties, + [cscStatusesProp]: initial, }, }, }); @@ -303,19 +311,98 @@ export const setCscStatus = async ({ }, }); - const teamProperties = team?.properties as any; + const teamProperties: any = team ? team.properties : {}; + + const iso = teamProperties.csc_iso - const csc_statuses = teamProperties?.csc_statuses; - csc_statuses[control] = value; + const cscStatusesProp = getCscStatusesProp(iso) + + const cscStatuses = { ...teamProperties[cscStatusesProp] }; + cscStatuses[control] = value; + + console.log('set csc statuses', cscStatusesProp) await prisma.team.update({ where: { slug: slug }, data: { properties: { - csc_statuses, + ...teamProperties, + [cscStatusesProp]: cscStatuses, }, }, }); - return csc_statuses; + return cscStatuses; }; + +export const getCscIso = async ({ + slug, +}: { + slug: string; +}) => { + const team = await prisma.team.findUnique({ + where: { + slug: slug, + }, + select: { + properties: true, + }, + }); + + console.log('getCscIso team', team) + + const teamProperties: any = team ? team.properties : {}; + + if (teamProperties?.csc_iso) { + return teamProperties?.csc_iso; + } + + const initial = 'default' + + const updatedProperties = { + ...teamProperties, + csc_iso: initial + }; + + await prisma.team.update({ + where: { slug: slug }, + data: { + properties: updatedProperties, + }, + }); + + return initial +} + +export const setCscIso = async ({ + slug, + iso +}: { + slug: string; + iso: string; +}) => { + const team = await prisma.team.findUnique({ + where: { + slug: slug, + }, + select: { + properties: true, + }, + }); + + const teamProperties: any = team ? team.properties : {}; + + const updatedProperties = { + ...teamProperties, + csc_iso: iso + }; + + await prisma.team.update({ + where: { slug: slug }, + data: { + properties: updatedProperties, + }, + }); + + return iso; +} \ No newline at end of file diff --git a/pages/api/teams/[slug]/csc.ts b/pages/api/teams/[slug]/csc/index.ts similarity index 95% rename from pages/api/teams/[slug]/csc.ts rename to pages/api/teams/[slug]/csc/index.ts index 09d14eea..8a0b7c10 100644 --- a/pages/api/teams/[slug]/csc.ts +++ b/pages/api/teams/[slug]/csc/index.ts @@ -26,7 +26,7 @@ const handlePUT = async (req: NextApiRequest, res: NextApiResponse) => { throwIfNotAllowed(teamMember, 'team', 'read'); const { slug } = req.query; - const { control, value } = req.body; + const { control, value, ISO } = req.body; const statuses = await setCscStatus({ slug: slug as string, diff --git a/pages/api/teams/[slug]/csc/iso.ts b/pages/api/teams/[slug]/csc/iso.ts new file mode 100644 index 00000000..4db05dd2 --- /dev/null +++ b/pages/api/teams/[slug]/csc/iso.ts @@ -0,0 +1,59 @@ +import { setCscStatus, setCscIso, getCscIso } from 'models/team'; +import type { NextApiRequest, NextApiResponse } from 'next'; +import { throwIfNoTeamAccess } from 'models/team'; +import { throwIfNotAllowed } from 'models/user'; + +export default async function handler( + req: NextApiRequest, + res: NextApiResponse +) { + const { method } = req; + + switch (method) { + case 'GET': + return handleGET(req, res); + case 'PUT': + return handlePUT(req, res); + default: + res.setHeader('Allow', ['GET', 'DELETE', 'PUT']); + res.status(405).json({ + data: null, + error: { message: `Method ${method} Not Allowed` }, + }); + } +} + +const handleGET = async (req: NextApiRequest, res: NextApiResponse) => { + const teamMember = await throwIfNoTeamAccess(req, res); + throwIfNotAllowed(teamMember, 'team', 'read'); + + const { slug } = req.query; + + const responce = await getCscIso({ + slug: slug as string + }) + + console.log('hande get iso responce', responce) + + return res.status(200).json({ data: { iso: responce }, error: null }); + +} + +const handlePUT = async (req: NextApiRequest, res: NextApiResponse) => { + const teamMember = await throwIfNoTeamAccess(req, res); + throwIfNotAllowed(teamMember, 'team', 'read'); + + const { slug } = req.query; + const { iso } = req.body; + + console.log('hande put iso slug ', { slug, iso }) + + const responce = await setCscIso({ + slug: slug as string, + iso + }) + + console.log('hande put isoresponce ', responce) + + return res.status(200).json({ data: { iso: responce }, error: null }); +}; diff --git a/pages/api/teams/[slug]/tasks/[taskNumber]/csc.ts b/pages/api/teams/[slug]/tasks/[taskNumber]/csc.ts index d027d87d..3d64097c 100644 --- a/pages/api/teams/[slug]/tasks/[taskNumber]/csc.ts +++ b/pages/api/teams/[slug]/tasks/[taskNumber]/csc.ts @@ -41,7 +41,7 @@ const handlePUT = async (req: NextApiRequest, res: NextApiResponse) => { }); } - const { operation, controls } = req.body; + const { operation, controls, ISO } = req.body; if (operation === 'add') { await addControlsToIssue({ @@ -49,6 +49,7 @@ const handlePUT = async (req: NextApiRequest, res: NextApiResponse) => { taskNumber: taskNumberAsNumber, slug: slug as string, controls, + ISO: ISO as string }); } @@ -58,6 +59,8 @@ const handlePUT = async (req: NextApiRequest, res: NextApiResponse) => { taskNumber: taskNumberAsNumber, slug: slug as string, controls, + ISO: ISO as string + }); } @@ -67,6 +70,7 @@ const handlePUT = async (req: NextApiRequest, res: NextApiResponse) => { taskNumber: taskNumberAsNumber, slug: slug as string, controls, + ISO: ISO as string }); } diff --git a/pages/teams/[slug]/csc.tsx b/pages/teams/[slug]/csc.tsx index 3475c5d2..004f1026 100644 --- a/pages/teams/[slug]/csc.tsx +++ b/pages/teams/[slug]/csc.tsx @@ -1,5 +1,5 @@ import type { NextPageWithLayout } from "types"; -import { useState, useCallback } from "react"; +import { useState, useCallback, useEffect } from "react"; import { useRouter } from "next/router"; import { useTranslation } from "next-i18next"; import { serverSideTranslations } from "next-i18next/serverSideTranslations"; @@ -22,6 +22,7 @@ import { perPageOptions } from "@/components/defaultLanding/data/configs/csc"; import useTeamTasks from "hooks/useTeamTasks"; import { getCscStatusesBySlug } from "models/team"; import type { Option } from "types"; +import useISO from "hooks/useISO"; const CscDashboard: NextPageWithLayout< InferGetServerSidePropsType @@ -42,6 +43,7 @@ const CscDashboard: NextPageWithLayout< const { isLoading, isError, team } = useTeam(slug as string); const { tasks, mutateTasks } = useTeamTasks(slug as string) + const { ISO } = useISO(team) const statusHandler = useCallback(async (control: string, value: string) => { const response = await axios.put( @@ -70,7 +72,8 @@ const CscDashboard: NextPageWithLayout< `/api/teams/${slug}/tasks/${taskNumber}/csc`, { controls: [control], - operation + operation, + ISO } ); @@ -83,9 +86,13 @@ const CscDashboard: NextPageWithLayout< mutateTasks() } - }, []) + }, [ISO]) + + useEffect(() => { + console.log('CSC ISO', ISO) + }, [ISO]) - if (isLoading || !team || !tasks) { + if (isLoading || !team || !tasks || !ISO) { return ; } @@ -104,11 +111,17 @@ const CscDashboard: NextPageWithLayout<
- +
- +
{ const { t } = useTranslation('common'); - const { isLoading, isError, team } = useTeam(); + const { isLoading, isError, team, mutateTeam } = useTeam(); if (isLoading) { return ; @@ -29,6 +29,7 @@ const Settings = ({ teamFeatures }) => {
+ diff --git a/pages/teams/[slug]/tasks/[taskNumber]/index.tsx b/pages/teams/[slug]/tasks/[taskNumber]/index.tsx index 7bc2aef4..58f91a65 100644 --- a/pages/teams/[slug]/tasks/[taskNumber]/index.tsx +++ b/pages/teams/[slug]/tasks/[taskNumber]/index.tsx @@ -12,6 +12,7 @@ import { CscAuditLogs, CscPanel } from "@/components/interfaces/CSC"; import { CreateRPA, RpaPanel, RpaAuditLog } from "@/components/interfaces/RPA"; import useTeam from "hooks/useTeam"; import useCanAccess from 'hooks/useCanAccess'; +import useISO from "hooks/useISO"; import { Team } from "@prisma/client"; import { getCscStatusesBySlug } from "models/team"; import { InferGetServerSidePropsType } from "next"; @@ -35,8 +36,9 @@ const TaskById: NextPageWithLayout< const { taskNumber, slug } = router.query; const { team, isLoading: isTeamLoading, isError: isTeamError } = useTeam(slug as string) const { task, isLoading, isError, mutateTask } = useTask(slug as string, taskNumber as string) + const { ISO } = useISO(team) - if (isLoading || isTeamLoading) { + if (isLoading || isTeamLoading || !ISO) { return ; } @@ -115,7 +117,13 @@ const TaskById: NextPageWithLayout< {activeTab === "Cybersecurity Controls" && ( - + )} diff --git a/types/csc.ts b/types/csc.ts index 9535a4e0..264b991a 100644 --- a/types/csc.ts +++ b/types/csc.ts @@ -24,3 +24,18 @@ export type ControlOption = { section: string; }; }; + +export type Control = { + Code: string; + Section: string; + Control: string; + Requirements: string; + Status: string; +}; + +export type IsoControlMap = Record; + +export type Section = { + label: string; + value: string; +}; From 9bed2798366ade31451f6a94d8b60ff9406aa11b Mon Sep 17 00:00:00 2001 From: Predrag Tasevski Date: Wed, 8 Nov 2023 08:55:42 +0100 Subject: [PATCH 003/146] added captain and dockerfile --- Dockerfile | 17 +++ captain-definition | 4 + package-lock.json | 336 ++++++++++++++++++++++----------------------- 3 files changed, 189 insertions(+), 168 deletions(-) create mode 100644 Dockerfile create mode 100644 captain-definition diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..902630e5 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,17 @@ +# build environment +FROM node:16.16.0 as builder +RUN mkdir /usr/src/app +WORKDIR /usr/src/app +ENV PATH /usr/src/app/node_modules/.bin:$PATH +COPY . /usr/src/app +RUN npm install --force +RUN npm run build + +# production environment +FROM nginx:1.13.9-alpine +RUN rm -rf /etc/nginx/conf.d +RUN mkdir -p /etc/nginx/conf.d +COPY ./default.conf /etc/nginx/conf.d/ +COPY --from=builder /usr/src/app/build /usr/share/nginx/html +EXPOSE 80 +CMD ["nginx", "-g", "daemon off;"] diff --git a/captain-definition b/captain-definition new file mode 100644 index 00000000..b434a578 --- /dev/null +++ b/captain-definition @@ -0,0 +1,4 @@ +{ + "schemaVersion": 2, + "dockerfilePath" :"./Dockerfile" +} \ No newline at end of file diff --git a/package-lock.json b/package-lock.json index 69a5b94f..39034f13 100644 --- a/package-lock.json +++ b/package-lock.json @@ -4852,6 +4852,126 @@ "node": ">= 10" } }, + "node_modules/@next/swc-darwin-x64": { + "version": "13.5.6", + "resolved": "https://registry.npmjs.org/@next/swc-darwin-x64/-/swc-darwin-x64-13.5.6.tgz", + "integrity": "sha512-6cgBfxg98oOCSr4BckWjLLgiVwlL3vlLj8hXg2b+nDgm4bC/qVXXLfpLB9FHdoDu4057hzywbxKvmYGmi7yUzA==", + "cpu": [ + "x64" + ], + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": ">= 10" + } + }, + "node_modules/@next/swc-linux-arm64-gnu": { + "version": "13.5.6", + "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-13.5.6.tgz", + "integrity": "sha512-txagBbj1e1w47YQjcKgSU4rRVQ7uF29YpnlHV5xuVUsgCUf2FmyfJ3CPjZUvpIeXCJAoMCFAoGnbtX86BK7+sg==", + "cpu": [ + "arm64" + ], + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">= 10" + } + }, + "node_modules/@next/swc-linux-arm64-musl": { + "version": "13.5.6", + "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-13.5.6.tgz", + "integrity": "sha512-cGd+H8amifT86ZldVJtAKDxUqeFyLWW+v2NlBULnLAdWsiuuN8TuhVBt8ZNpCqcAuoruoSWynvMWixTFcroq+Q==", + "cpu": [ + "arm64" + ], + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">= 10" + } + }, + "node_modules/@next/swc-linux-x64-gnu": { + "version": "13.5.6", + "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-13.5.6.tgz", + "integrity": "sha512-Mc2b4xiIWKXIhBy2NBTwOxGD3nHLmq4keFk+d4/WL5fMsB8XdJRdtUlL87SqVCTSaf1BRuQQf1HvXZcy+rq3Nw==", + "cpu": [ + "x64" + ], + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">= 10" + } + }, + "node_modules/@next/swc-linux-x64-musl": { + "version": "13.5.6", + "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-13.5.6.tgz", + "integrity": "sha512-CFHvP9Qz98NruJiUnCe61O6GveKKHpJLloXbDSWRhqhkJdZD2zU5hG+gtVJR//tyW897izuHpM6Gtf6+sNgJPQ==", + "cpu": [ + "x64" + ], + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">= 10" + } + }, + "node_modules/@next/swc-win32-arm64-msvc": { + "version": "13.5.6", + "resolved": "https://registry.npmjs.org/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-13.5.6.tgz", + "integrity": "sha512-aFv1ejfkbS7PUa1qVPwzDHjQWQtknzAZWGTKYIAaS4NMtBlk3VyA6AYn593pqNanlicewqyl2jUhQAaFV/qXsg==", + "cpu": [ + "arm64" + ], + "optional": true, + "os": [ + "win32" + ], + "engines": { + "node": ">= 10" + } + }, + "node_modules/@next/swc-win32-ia32-msvc": { + "version": "13.5.6", + "resolved": "https://registry.npmjs.org/@next/swc-win32-ia32-msvc/-/swc-win32-ia32-msvc-13.5.6.tgz", + "integrity": "sha512-XqqpHgEIlBHvzwG8sp/JXMFkLAfGLqkbVsyN+/Ih1mR8INb6YCc2x/Mbwi6hsAgUnqQztz8cvEbHJUbSl7RHDg==", + "cpu": [ + "ia32" + ], + "optional": true, + "os": [ + "win32" + ], + "engines": { + "node": ">= 10" + } + }, + "node_modules/@next/swc-win32-x64-msvc": { + "version": "13.5.6", + "resolved": "https://registry.npmjs.org/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-13.5.6.tgz", + "integrity": "sha512-Cqfe1YmOS7k+5mGu92nl5ULkzpKuxJrP3+4AEuPmrpFZ3BHxTY3TnHmU1On3bFmFFs6FbTcdF58CCUProGpIGQ==", + "cpu": [ + "x64" + ], + "optional": true, + "os": [ + "win32" + ], + "engines": { + "node": ">= 10" + } + }, "node_modules/@nicolo-ribaudo/semver-v6": { "version": "6.3.3", "license": "ISC", @@ -19642,126 +19762,6 @@ "funding": { "url": "https://github.com/sponsors/colinhacks" } - }, - "node_modules/@next/swc-darwin-x64": { - "version": "13.5.6", - "resolved": "https://registry.npmjs.org/@next/swc-darwin-x64/-/swc-darwin-x64-13.5.6.tgz", - "integrity": "sha512-6cgBfxg98oOCSr4BckWjLLgiVwlL3vlLj8hXg2b+nDgm4bC/qVXXLfpLB9FHdoDu4057hzywbxKvmYGmi7yUzA==", - "cpu": [ - "x64" - ], - "optional": true, - "os": [ - "darwin" - ], - "engines": { - "node": ">= 10" - } - }, - "node_modules/@next/swc-linux-arm64-gnu": { - "version": "13.5.6", - "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-13.5.6.tgz", - "integrity": "sha512-txagBbj1e1w47YQjcKgSU4rRVQ7uF29YpnlHV5xuVUsgCUf2FmyfJ3CPjZUvpIeXCJAoMCFAoGnbtX86BK7+sg==", - "cpu": [ - "arm64" - ], - "optional": true, - "os": [ - "linux" - ], - "engines": { - "node": ">= 10" - } - }, - "node_modules/@next/swc-linux-arm64-musl": { - "version": "13.5.6", - "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-13.5.6.tgz", - "integrity": "sha512-cGd+H8amifT86ZldVJtAKDxUqeFyLWW+v2NlBULnLAdWsiuuN8TuhVBt8ZNpCqcAuoruoSWynvMWixTFcroq+Q==", - "cpu": [ - "arm64" - ], - "optional": true, - "os": [ - "linux" - ], - "engines": { - "node": ">= 10" - } - }, - "node_modules/@next/swc-linux-x64-gnu": { - "version": "13.5.6", - "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-13.5.6.tgz", - "integrity": "sha512-Mc2b4xiIWKXIhBy2NBTwOxGD3nHLmq4keFk+d4/WL5fMsB8XdJRdtUlL87SqVCTSaf1BRuQQf1HvXZcy+rq3Nw==", - "cpu": [ - "x64" - ], - "optional": true, - "os": [ - "linux" - ], - "engines": { - "node": ">= 10" - } - }, - "node_modules/@next/swc-linux-x64-musl": { - "version": "13.5.6", - "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-13.5.6.tgz", - "integrity": "sha512-CFHvP9Qz98NruJiUnCe61O6GveKKHpJLloXbDSWRhqhkJdZD2zU5hG+gtVJR//tyW897izuHpM6Gtf6+sNgJPQ==", - "cpu": [ - "x64" - ], - "optional": true, - "os": [ - "linux" - ], - "engines": { - "node": ">= 10" - } - }, - "node_modules/@next/swc-win32-arm64-msvc": { - "version": "13.5.6", - "resolved": "https://registry.npmjs.org/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-13.5.6.tgz", - "integrity": "sha512-aFv1ejfkbS7PUa1qVPwzDHjQWQtknzAZWGTKYIAaS4NMtBlk3VyA6AYn593pqNanlicewqyl2jUhQAaFV/qXsg==", - "cpu": [ - "arm64" - ], - "optional": true, - "os": [ - "win32" - ], - "engines": { - "node": ">= 10" - } - }, - "node_modules/@next/swc-win32-ia32-msvc": { - "version": "13.5.6", - "resolved": "https://registry.npmjs.org/@next/swc-win32-ia32-msvc/-/swc-win32-ia32-msvc-13.5.6.tgz", - "integrity": "sha512-XqqpHgEIlBHvzwG8sp/JXMFkLAfGLqkbVsyN+/Ih1mR8INb6YCc2x/Mbwi6hsAgUnqQztz8cvEbHJUbSl7RHDg==", - "cpu": [ - "ia32" - ], - "optional": true, - "os": [ - "win32" - ], - "engines": { - "node": ">= 10" - } - }, - "node_modules/@next/swc-win32-x64-msvc": { - "version": "13.5.6", - "resolved": "https://registry.npmjs.org/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-13.5.6.tgz", - "integrity": "sha512-Cqfe1YmOS7k+5mGu92nl5ULkzpKuxJrP3+4AEuPmrpFZ3BHxTY3TnHmU1On3bFmFFs6FbTcdF58CCUProGpIGQ==", - "cpu": [ - "x64" - ], - "optional": true, - "os": [ - "win32" - ], - "engines": { - "node": ">= 10" - } } }, "dependencies": { @@ -23279,6 +23279,54 @@ "integrity": "sha512-5nvXMzKtZfvcu4BhtV0KH1oGv4XEW+B+jOfmBdpFI3C7FrB/MfujRpWYSBBO64+qbW8pkZiSyQv9eiwnn5VIQA==", "optional": true }, + "@next/swc-darwin-x64": { + "version": "13.5.6", + "resolved": "https://registry.npmjs.org/@next/swc-darwin-x64/-/swc-darwin-x64-13.5.6.tgz", + "integrity": "sha512-6cgBfxg98oOCSr4BckWjLLgiVwlL3vlLj8hXg2b+nDgm4bC/qVXXLfpLB9FHdoDu4057hzywbxKvmYGmi7yUzA==", + "optional": true + }, + "@next/swc-linux-arm64-gnu": { + "version": "13.5.6", + "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-13.5.6.tgz", + "integrity": "sha512-txagBbj1e1w47YQjcKgSU4rRVQ7uF29YpnlHV5xuVUsgCUf2FmyfJ3CPjZUvpIeXCJAoMCFAoGnbtX86BK7+sg==", + "optional": true + }, + "@next/swc-linux-arm64-musl": { + "version": "13.5.6", + "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-13.5.6.tgz", + "integrity": "sha512-cGd+H8amifT86ZldVJtAKDxUqeFyLWW+v2NlBULnLAdWsiuuN8TuhVBt8ZNpCqcAuoruoSWynvMWixTFcroq+Q==", + "optional": true + }, + "@next/swc-linux-x64-gnu": { + "version": "13.5.6", + "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-13.5.6.tgz", + "integrity": "sha512-Mc2b4xiIWKXIhBy2NBTwOxGD3nHLmq4keFk+d4/WL5fMsB8XdJRdtUlL87SqVCTSaf1BRuQQf1HvXZcy+rq3Nw==", + "optional": true + }, + "@next/swc-linux-x64-musl": { + "version": "13.5.6", + "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-13.5.6.tgz", + "integrity": "sha512-CFHvP9Qz98NruJiUnCe61O6GveKKHpJLloXbDSWRhqhkJdZD2zU5hG+gtVJR//tyW897izuHpM6Gtf6+sNgJPQ==", + "optional": true + }, + "@next/swc-win32-arm64-msvc": { + "version": "13.5.6", + "resolved": "https://registry.npmjs.org/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-13.5.6.tgz", + "integrity": "sha512-aFv1ejfkbS7PUa1qVPwzDHjQWQtknzAZWGTKYIAaS4NMtBlk3VyA6AYn593pqNanlicewqyl2jUhQAaFV/qXsg==", + "optional": true + }, + "@next/swc-win32-ia32-msvc": { + "version": "13.5.6", + "resolved": "https://registry.npmjs.org/@next/swc-win32-ia32-msvc/-/swc-win32-ia32-msvc-13.5.6.tgz", + "integrity": "sha512-XqqpHgEIlBHvzwG8sp/JXMFkLAfGLqkbVsyN+/Ih1mR8INb6YCc2x/Mbwi6hsAgUnqQztz8cvEbHJUbSl7RHDg==", + "optional": true + }, + "@next/swc-win32-x64-msvc": { + "version": "13.5.6", + "resolved": "https://registry.npmjs.org/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-13.5.6.tgz", + "integrity": "sha512-Cqfe1YmOS7k+5mGu92nl5ULkzpKuxJrP3+4AEuPmrpFZ3BHxTY3TnHmU1On3bFmFFs6FbTcdF58CCUProGpIGQ==", + "optional": true + }, "@nicolo-ribaudo/semver-v6": { "version": "6.3.3" }, @@ -32685,54 +32733,6 @@ "version": "3.22.4", "resolved": "https://registry.npmjs.org/zod/-/zod-3.22.4.tgz", "integrity": "sha512-iC+8Io04lddc+mVqQ9AZ7OQ2MrUKGN+oIQyq1vemgt46jwCwLfhq7/pwnBnNXXXZb8VTVLKwp9EDkx+ryxIWmg==" - }, - "@next/swc-darwin-x64": { - "version": "13.5.6", - "resolved": "https://registry.npmjs.org/@next/swc-darwin-x64/-/swc-darwin-x64-13.5.6.tgz", - "integrity": "sha512-6cgBfxg98oOCSr4BckWjLLgiVwlL3vlLj8hXg2b+nDgm4bC/qVXXLfpLB9FHdoDu4057hzywbxKvmYGmi7yUzA==", - "optional": true - }, - "@next/swc-linux-arm64-gnu": { - "version": "13.5.6", - "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-13.5.6.tgz", - "integrity": "sha512-txagBbj1e1w47YQjcKgSU4rRVQ7uF29YpnlHV5xuVUsgCUf2FmyfJ3CPjZUvpIeXCJAoMCFAoGnbtX86BK7+sg==", - "optional": true - }, - "@next/swc-linux-arm64-musl": { - "version": "13.5.6", - "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-13.5.6.tgz", - "integrity": "sha512-cGd+H8amifT86ZldVJtAKDxUqeFyLWW+v2NlBULnLAdWsiuuN8TuhVBt8ZNpCqcAuoruoSWynvMWixTFcroq+Q==", - "optional": true - }, - "@next/swc-linux-x64-gnu": { - "version": "13.5.6", - "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-13.5.6.tgz", - "integrity": "sha512-Mc2b4xiIWKXIhBy2NBTwOxGD3nHLmq4keFk+d4/WL5fMsB8XdJRdtUlL87SqVCTSaf1BRuQQf1HvXZcy+rq3Nw==", - "optional": true - }, - "@next/swc-linux-x64-musl": { - "version": "13.5.6", - "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-13.5.6.tgz", - "integrity": "sha512-CFHvP9Qz98NruJiUnCe61O6GveKKHpJLloXbDSWRhqhkJdZD2zU5hG+gtVJR//tyW897izuHpM6Gtf6+sNgJPQ==", - "optional": true - }, - "@next/swc-win32-arm64-msvc": { - "version": "13.5.6", - "resolved": "https://registry.npmjs.org/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-13.5.6.tgz", - "integrity": "sha512-aFv1ejfkbS7PUa1qVPwzDHjQWQtknzAZWGTKYIAaS4NMtBlk3VyA6AYn593pqNanlicewqyl2jUhQAaFV/qXsg==", - "optional": true - }, - "@next/swc-win32-ia32-msvc": { - "version": "13.5.6", - "resolved": "https://registry.npmjs.org/@next/swc-win32-ia32-msvc/-/swc-win32-ia32-msvc-13.5.6.tgz", - "integrity": "sha512-XqqpHgEIlBHvzwG8sp/JXMFkLAfGLqkbVsyN+/Ih1mR8INb6YCc2x/Mbwi6hsAgUnqQztz8cvEbHJUbSl7RHDg==", - "optional": true - }, - "@next/swc-win32-x64-msvc": { - "version": "13.5.6", - "resolved": "https://registry.npmjs.org/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-13.5.6.tgz", - "integrity": "sha512-Cqfe1YmOS7k+5mGu92nl5ULkzpKuxJrP3+4AEuPmrpFZ3BHxTY3TnHmU1On3bFmFFs6FbTcdF58CCUProGpIGQ==", - "optional": true } } } From e187b7f4f3f38710995182168c8eb1beeb2e9e9a Mon Sep 17 00:00:00 2001 From: Predrag Tasevski Date: Wed, 8 Nov 2023 10:40:07 +0100 Subject: [PATCH 004/146] dev build --- Dockerfile | 4 +++- docker-compose.yml | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 902630e5..f5b7613b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,7 +5,9 @@ WORKDIR /usr/src/app ENV PATH /usr/src/app/node_modules/.bin:$PATH COPY . /usr/src/app RUN npm install --force -RUN npm run build +RUN docker-compose up -d +RUN npx prisma db push +RUN npm run dev # production environment FROM nginx:1.13.9-alpine diff --git a/docker-compose.yml b/docker-compose.yml index cc40d20f..84365439 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,8 +4,8 @@ services: image: postgres restart: always environment: - POSTGRES_PASSWORD: retraced - POSTGRES_USER: password + POSTGRES_PASSWORD: 7emp1eAppe4rance5Rang3I5BNOffice + POSTGRES_USER: unicis_platform POSTGRES_DB: unicis_platform ports: - 5432:5432 From 3dbfe75057cceaaf7a8a84401334d096d9750b70 Mon Sep 17 00:00:00 2001 From: Predrag Tasevski Date: Wed, 8 Nov 2023 10:43:35 +0100 Subject: [PATCH 005/146] delete docker composer --- Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index f5b7613b..ef2dabe8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,7 +5,6 @@ WORKDIR /usr/src/app ENV PATH /usr/src/app/node_modules/.bin:$PATH COPY . /usr/src/app RUN npm install --force -RUN docker-compose up -d RUN npx prisma db push RUN npm run dev From c03e124b658338dc5652ea277805924b23b705ef Mon Sep 17 00:00:00 2001 From: Predrag Tasevski Date: Wed, 8 Nov 2023 12:55:54 +0100 Subject: [PATCH 006/146] dockerfile changes --- Dockerfile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index ef2dabe8..167f5160 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,15 +1,14 @@ # build environment -FROM node:16.16.0 as builder +FROM node:latest as builder RUN mkdir /usr/src/app WORKDIR /usr/src/app ENV PATH /usr/src/app/node_modules/.bin:$PATH COPY . /usr/src/app RUN npm install --force -RUN npx prisma db push RUN npm run dev # production environment -FROM nginx:1.13.9-alpine +FROM nginx:latest RUN rm -rf /etc/nginx/conf.d RUN mkdir -p /etc/nginx/conf.d COPY ./default.conf /etc/nginx/conf.d/ From 1d6d63e99e24e6f6fcba49606f6af200820f5542 Mon Sep 17 00:00:00 2001 From: Predrag Tasevski Date: Wed, 8 Nov 2023 13:18:11 +0100 Subject: [PATCH 007/146] change the package name --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 49e5d638..c1e7c270 100644 --- a/package.json +++ b/package.json @@ -1,5 +1,5 @@ { - "name": "saas-starter-kit", + "name": "unicis-platform", "version": "0.1.0", "private": true, "scripts": { From 6377669e8439346e2b989ed3a2d0cdd0f91ee73b Mon Sep 17 00:00:00 2001 From: Predrag Tasevski Date: Wed, 8 Nov 2023 13:52:32 +0100 Subject: [PATCH 008/146] test env --- next.config.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/next.config.js b/next.config.js index b0b2d69f..91d670cb 100644 --- a/next.config.js +++ b/next.config.js @@ -15,7 +15,7 @@ const redirects = [ const nextConfig = { reactStrictMode: false, images: { - domains: ['boxyhq.com'], + domains: ['platform.unicis.tech'], }, i18n, async redirects() { From b68ce6be55682e1be59003c9b9fc4d87173a07e8 Mon Sep 17 00:00:00 2001 From: Predrag Tasevski Date: Wed, 8 Nov 2023 13:53:05 +0100 Subject: [PATCH 009/146] build --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 167f5160..2d664124 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,7 +5,7 @@ WORKDIR /usr/src/app ENV PATH /usr/src/app/node_modules/.bin:$PATH COPY . /usr/src/app RUN npm install --force -RUN npm run dev +RUN npm run build # production environment FROM nginx:latest From 0dea7a51c32f62b97d939c03fdc6a57cb45c8df0 Mon Sep 17 00:00:00 2001 From: Predrag Tasevski Date: Wed, 8 Nov 2023 14:07:36 +0100 Subject: [PATCH 010/146] change the port --- Dockerfile | 34 ++++++++++++++++++++-------------- Dockerfile-bck | 17 +++++++++++++++++ package.json | 6 +++--- 3 files changed, 40 insertions(+), 17 deletions(-) create mode 100644 Dockerfile-bck diff --git a/Dockerfile b/Dockerfile index 2d664124..acc01abf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,17 +1,23 @@ -# build environment -FROM node:latest as builder -RUN mkdir /usr/src/app -WORKDIR /usr/src/app -ENV PATH /usr/src/app/node_modules/.bin:$PATH -COPY . /usr/src/app +# Use the official Node.js image as the base image +FROM node:14-alpine + +# Set the working directory in the container +WORKDIR /app + +# Copy package.json and package-lock.json to the working directory +COPY package*.json ./ + +# Install dependencies RUN npm install --force + +# Copy the entire application to the working directory +COPY . . + +# Expose the port on which your Next.js app will run +EXPOSE 3000 + +# Build the Next.js app RUN npm run build -# production environment -FROM nginx:latest -RUN rm -rf /etc/nginx/conf.d -RUN mkdir -p /etc/nginx/conf.d -COPY ./default.conf /etc/nginx/conf.d/ -COPY --from=builder /usr/src/app/build /usr/share/nginx/html -EXPOSE 80 -CMD ["nginx", "-g", "daemon off;"] +# Start the Next.js app +CMD ["npm", "start"] diff --git a/Dockerfile-bck b/Dockerfile-bck new file mode 100644 index 00000000..2d664124 --- /dev/null +++ b/Dockerfile-bck @@ -0,0 +1,17 @@ +# build environment +FROM node:latest as builder +RUN mkdir /usr/src/app +WORKDIR /usr/src/app +ENV PATH /usr/src/app/node_modules/.bin:$PATH +COPY . /usr/src/app +RUN npm install --force +RUN npm run build + +# production environment +FROM nginx:latest +RUN rm -rf /etc/nginx/conf.d +RUN mkdir -p /etc/nginx/conf.d +COPY ./default.conf /etc/nginx/conf.d/ +COPY --from=builder /usr/src/app/build /usr/share/nginx/html +EXPOSE 80 +CMD ["nginx", "-g", "daemon off;"] diff --git a/package.json b/package.json index c1e7c270..89fc210e 100644 --- a/package.json +++ b/package.json @@ -1,11 +1,11 @@ { "name": "unicis-platform", - "version": "0.1.0", + "version": "0.1.1", "private": true, "scripts": { - "dev": "next dev --port 4002", + "dev": "next dev --port 3000", "build": "prisma generate && prisma db push && next build", - "start": "next start --port 4002", + "start": "next start --port 3000", "check-types": "tsc --pretty --noEmit", "check-format": "prettier --check .", "check-lint": "eslint . --ext ts --ext tsx --ext js", From 05631dfcea7e7cbce742d9570ca6f7d30543d961 Mon Sep 17 00:00:00 2001 From: Yaroslav Bondarets Date: Wed, 8 Nov 2023 21:10:34 +0200 Subject: [PATCH 011/146] ISO default property hotfix --- models/team.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/models/team.ts b/models/team.ts index 5c2221a5..3b7cb43c 100644 --- a/models/team.ts +++ b/models/team.ts @@ -267,7 +267,7 @@ export const getCscStatusesBySlug = async (slug: string) => { }); const teamProperties: any = team ? team.properties : {}; - const iso = teamProperties.csc_iso + const iso = teamProperties.csc_iso || 'default' const cscStatusesProp = getCscStatusesProp(iso) console.log('cscStatusesProp', {cscStatusesProp, teamProperties}) From ceae14a6bacabd9d97db3c89c958a7e74d2c99ed Mon Sep 17 00:00:00 2001 From: Predrag Tasevski Date: Wed, 8 Nov 2023 21:06:05 +0100 Subject: [PATCH 012/146] changes in package --- package-lock.json | 8 ++++---- package.json | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/package-lock.json b/package-lock.json index 39034f13..618dbdbf 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { - "name": "saas-starter-kit", - "version": "0.1.0", + "name": "unicis-platform", + "version": "0.1.1", "lockfileVersion": 2, "requires": true, "packages": { "": { - "name": "saas-starter-kit", - "version": "0.1.0", + "name": "unicis-platform", + "version": "0.1.1", "dependencies": { "@atlaskit/avatar": "^21.1.10", "@atlaskit/badge": "^15.1.11", diff --git a/package.json b/package.json index 89fc210e..654a7d24 100644 --- a/package.json +++ b/package.json @@ -3,9 +3,9 @@ "version": "0.1.1", "private": true, "scripts": { - "dev": "next dev --port 3000", + "dev": "next dev --port 4002", "build": "prisma generate && prisma db push && next build", - "start": "next start --port 3000", + "start": "next start --port 4002", "check-types": "tsc --pretty --noEmit", "check-format": "prettier --check .", "check-lint": "eslint . --ext ts --ext tsx --ext js", From e973231d1ab6808f49f7b4dd7337f62bc4a5fb93 Mon Sep 17 00:00:00 2001 From: Predrag Tasevski Date: Tue, 14 Nov 2023 23:48:05 +0100 Subject: [PATCH 013/146] latest tests and scripts running. --- .../data/ISO-CSC-controls-2013.json | 1600 ++++++++--------- .../data/ISO-CSC-controls-2022.json | 1306 +++++++------- .../defaultLanding/data/MVPS-controls.json | 604 +++---- .../data/availableExtensions.json | 34 +- components/defaultLanding/data/configs/csc.ts | 89 +- components/defaultLanding/data/statuses.json | 2 +- components/emailTemplates/EmailLayout.tsx | 6 +- .../interfaces/Auth/JoinWithInvitation.tsx | 36 +- components/interfaces/CSC/CscAuditLogs.tsx | 56 +- components/interfaces/CSC/PieChart.tsx | 74 +- components/interfaces/CSC/RadarChart.tsx | 78 +- components/interfaces/CSC/SectionFilter.tsx | 18 +- components/interfaces/CSC/StatusFilter.tsx | 20 +- components/interfaces/CSC/StatusHeader.tsx | 184 +- components/interfaces/CSC/StatusSelector.tsx | 27 +- components/interfaces/CSC/StatusesTable.tsx | 182 +- components/interfaces/CSC/TaskSelector.tsx | 104 +- components/interfaces/CSC/TasksList.tsx | 53 +- .../CSC/issue_panel/ControlBlock.tsx | 139 +- .../CSC/issue_panel/ControlBlockViewOnly.tsx | 126 +- .../interfaces/CSC/issue_panel/CscPanel.tsx | 205 ++- components/interfaces/RPA/CreateFormBody.tsx | 397 ++-- components/interfaces/RPA/CreateRPA.tsx | 183 +- .../interfaces/RPA/DashboardCreateRPA.tsx | 234 +-- components/interfaces/RPA/DeleteRpa.tsx | 68 +- components/interfaces/RPA/RpaAuditLogs.tsx | 55 +- components/interfaces/RPA/RpaTable.tsx | 120 +- .../interfaces/RPA/TaskPickerFormBody.tsx | 111 +- .../interfaces/RPA/issue_panel/RpaPanel.tsx | 237 +-- components/interfaces/TIA/CreateFormBody.tsx | 936 +++++----- components/interfaces/TIA/CreateTIA.tsx | 342 ++-- .../interfaces/TIA/DashboardCreateTIA.tsx | 392 ++-- components/interfaces/TIA/DeleteTia.tsx | 69 +- components/interfaces/TIA/RiskLevel.tsx | 12 +- components/interfaces/TIA/TiaAuditLogs.tsx | 55 +- components/interfaces/TIA/TiaTable.tsx | 124 +- components/interfaces/TIA/TransferIs.tsx | 12 +- .../interfaces/TIA/issue_panel/TiaPanel.tsx | 506 ++++-- components/interfaces/Task/AttachmentCard.tsx | 157 +- components/interfaces/Task/Attachments.tsx | 91 +- components/interfaces/Task/Comments.tsx | 39 +- components/interfaces/Task/CommentsTab.tsx | 27 +- components/interfaces/Task/CreateTask.tsx | 91 +- .../interfaces/Task/DeleteAttachment.tsx | 135 +- components/interfaces/Task/DeleteTask.tsx | 56 +- components/interfaces/Task/EditTask.tsx | 118 +- components/interfaces/Task/TaskDetails.tsx | 352 ++-- components/interfaces/Task/TaskTab.tsx | 27 +- components/interfaces/Task/Tasks.tsx | 108 +- components/interfaces/Team/Teams.tsx | 32 +- components/shared/Card.tsx | 31 +- components/shared/Icon.tsx | 20 +- components/shared/PerPageSelector.tsx | 18 +- components/shared/StatusBadge.tsx | 14 +- components/shared/TeamDropdown.tsx | 15 +- components/shared/atlaskit/Field.tsx | 26 +- components/shared/atlaskit/Message.tsx | 20 +- .../shared/atlaskit/PerPageSelector.tsx | 22 +- .../shared/atlaskit/TaskPickerFormBody.tsx | 111 +- components/shared/shell/Brand.tsx | 4 +- components/shared/shell/TeamNavigation.tsx | 6 +- components/team/Billing.tsx | 10 +- components/team/CSCSettings.tsx | 124 +- components/team/Teams.tsx | 160 +- components/webhook/EventTypes.tsx | 2 +- hooks/useISO.ts | 61 +- hooks/usePagination.ts | 2 +- hooks/useTeam.ts | 2 +- lib/common.ts | 2 +- lib/csc.ts | 14 +- models/team.ts | 36 +- pages/_app.tsx | 2 +- pages/api/teams/[slug]/csc/iso.ts | 17 +- .../teams/[slug]/tasks/[taskNumber]/csc.ts | 7 +- pages/dashboard.tsx | 487 ++--- pages/index.tsx | 2 +- pages/privacy/tia/[slug]/overview.tsx | 15 +- pages/privacy/tia/index.tsx | 6 +- pages/rpa.tsx | 628 +++---- pages/teams/[slug]/csc.tsx | 242 +-- pages/teams/[slug]/rpa.tsx | 123 +- pages/teams/[slug]/settings.tsx | 8 +- pages/teams/[slug]/tasks.tsx | 28 +- .../teams/[slug]/tasks/[taskNumber]/index.tsx | 345 ++-- pages/teams/[slug]/tia.tsx | 120 +- pages/teams/switch.tsx | 2 +- pages/tia.tsx | 195 +- 87 files changed, 6822 insertions(+), 6134 deletions(-) diff --git a/components/defaultLanding/data/ISO-CSC-controls-2013.json b/components/defaultLanding/data/ISO-CSC-controls-2013.json index f029f0fb..21f4da45 100644 --- a/components/defaultLanding/data/ISO-CSC-controls-2013.json +++ b/components/defaultLanding/data/ISO-CSC-controls-2013.json @@ -1,800 +1,800 @@ -[ - { - "Code": "A.5.1.1", - "Section": "Information security policies - Management direction for information security", - "Control": "Policies for information security", - "Requirements": "A set of policies for information and cybersecurity shall be defined, approved by C-level, published and communicated to employees and relevant external parties.", - "Status": "Unknown" - }, - { - "Code": "A.5.1.2", - "Section": "Information security policies - Management direction for information security", - "Control": "Review of the policies for information security", - "Requirements": "The policies for information and cybersecurity shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, communication and effectiveness.", - "Status": "Unknown" - }, - { - "Code": "A.6.1.1", - "Section": "Organization of information security - Internal Organization", - "Control": "Information security roles and responsibilities", - "Requirements": "All information and cybersecurity roles and responsibilities shall be defined and allocated.", - "Status": "Unknown" - }, - { - "Code": "A.6.1.2", - "Section": "Organization of information security - Internal Organization", - "Control": "Segregation of duties", - "Requirements": "Conflicting tasks and areas of responsibility should be separated to reduce opportunities to change or misuse the assets of the organization without permission or unintended.", - "Status": "Unknown" - }, - { - "Code": "A.6.1.3", - "Section": "Organization of information security - Internal Organization", - "Control": "Contact with authorities", - "Requirements": "It is necessary to maintain proper communications with the relevant authorities.", - "Status": "Unknown" - }, - { - "Code": "A.6.1.4", - "Section": "Organization of information security - Internal Organization", - "Control": "Contact with special interest groups", - "Requirements": "Appropriate connections should be established with special interest organizations or other forums for professional security and professional associations.", - "Status": "Unknown" - }, - { - "Code": "A.6.1.5", - "Section": "Organization of information security - Internal Organization", - "Control": "Information security in project management", - "Requirements": "Throughout project management, the confidentiality of information should be discussed irrespective of project type", - "Status": "Unknown" - }, - { - "Code": "A.6.2.1", - "Section": "Organization of information security - Mobile devices and teleworking", - "Control": "Mobile device policy", - "Requirements": "To manage the risks introduced by the use of mobile devices, a policy and supporting safety measures should be adopted.", - "Status": "Unknown" - }, - { - "Code": "A.6.2.2", - "Section": "Organization of information security - Mobile devices and teleworking", - "Control": "Teleworking", - "Requirements": "To guard the accessed, processed, or stored information at teleworking sites, a policy and supporting security measures should be implemented.", - "Status": "Unknown" - }, - { - "Code": "A.7.1.1", - "Section": "Human Resources Security - Prior to employment", - "Control": "Screening", - "Requirements": "Background verification checks on all job applicants will be performed in compliance with applicable rules, legislation, and ethics and should be proportionate to business criteria, classification of the information to be obtained, and potential risks.", - "Status": "Unknown" - }, - { - "Code": "A.7.1.2", - "Section": "Human Resources Security - Prior to employment", - "Control": "Terms and conditions of employment", - "Requirements": "Contract agreements with employees and contractors would set out their responsibility for information security, and hence the responsibility of the company.", - "Status": "Unknown" - }, - { - "Code": "A.7.2.1 ", - "Section": "Human Resources Security - During employment", - "Control": "Management responsibilities", - "Requirements": "Management should mandate all employees and contractors to exercise information security in accordance with established policies and procedures set by the organization.", - "Status": "Unknown" - }, - { - "Code": "A.7.2.2 ", - "Section": "Human Resources Security - During employment", - "Control": "Information security awareness, education and training", - "Requirements": "All company workers and, where necessary, contractors will receive adequate awareness education and training, as well as daily updates on organizational policies and procedures, as applicable to their job function.", - "Status": "Unknown" - }, - { - "Code": "A.7.2.3 ", - "Section": "Human Resources Security - During employment", - "Control": "Disciplinary process", - "Requirements": "A formal and informed administrative process will be in place to take action against employees who have committed an information security breach.", - "Status": "Unknown" - }, - { - "Code": "A.7.3.1 ", - "Section": "Human Resources Security - Termination and change of employment", - "Control": "Termination or change of employment responsibilities", - "Requirements": "Responsibility and information/cyber security requirements that continue to be valid following termination or change of employment must be defined, communicated to, and implemented by the employee or contractor.", - "Status": "Unknown" - }, - { - "Code": "A.8.1.1", - "Section": "Asset Management - Responsibility for assets", - "Control": "Inventory of assets", - "Requirements": "Assets related to information and information facilities of an organization should be identified and listed, inventory of these assets should also be maintained.", - "Status": "Unknown" - }, - { - "Code": "A.8.1.2", - "Section": "Asset Management - Responsibility for assets", - "Control": "Ownership of assets", - "Requirements": "Assets in the inventory should have their owners (Asset-owner)", - "Status": "Unknown" - }, - { - "Code": "A.8.1.3", - "Section": "Asset Management - Responsibility for assets", - "Control": "Acceptable use of assets", - "Requirements": "Rules should be identified, documented, and implemented for the acceptable use of information and assets linked to information and information processing facilities.", - "Status": "Unknown" - }, - { - "Code": "A.8.1.4 ", - "Section": "Asset Management - Responsibility for assets", - "Control": "Return of assets", - "Requirements": "Both workers and external stakeholders must return all the organizational assets in their possession upon termination of their job, contract or agreement", - "Status": "Unknown" - }, - { - "Code": "A.8.2.1 ", - "Section": "Asset Management - Information classification", - "Control": "Classification of information", - "Requirements": "Information should be classification in the basis of their legal provisions, criticality, and vulnerability to unwanted release or alteration", - "Status": "Unknown" - }, - { - "Code": "A.8.2.2 ", - "Section": "Asset Management - Information classification", - "Control": "Labelling of information", - "Requirements": "In accordance with the information classification scheme adopted by the organization, an adequate set of methods for labelling information should be established and implemented.", - "Status": "Unknown" - }, - { - "Code": "A.8.2.3 ", - "Section": "Asset Management - Information classification", - "Control": "Handling of assets", - "Requirements": "Handling of assets in accordance with the organization’s information classification scheme should be developed and implemented.", - "Status": "Unknown" - }, - { - "Code": "A.8.3.1 ", - "Section": "Asset Management - Media handling", - "Control": "Management of removable media", - "Requirements": "Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.", - "Status": "Unknown" - }, - { - "Code": "A.8.3.2 ", - "Section": "Asset Management - Media handling", - "Control": "Disposal of media", - "Requirements": "When not required by specific protocols, media should be disposed of securely.", - "Status": "Unknown" - }, - { - "Code": "A.8.3.3 ", - "Section": "Asset Management - Media handling", - "Control": "Physical media transfer", - "Requirements": "Information media should be protected from unauthorized access, misuse or corruption during transportation.", - "Status": "Unknown" - }, - { - "Code": "A.9.1.1 ", - "Section": "Access Control - Business requirements of access control", - "Control": "Access control policy", - "Requirements": "An access control policy with supporting business and information security requirements should be established, documented, and reviewed.", - "Status": "Unknown" - }, - { - "Code": "A.9.1.2 ", - "Section": "Access Control - Business requirements of access control", - "Control": "Access to networks and network services", - "Requirements": "Only network and network facilities which have expressly been approved for use will be made available to users.", - "Status": "Unknown" - }, - { - "Code": "A.9.2.1 ", - "Section": "Access Control - User access management", - "Control": "User registration and de-registration", - "Requirements": "Only network and network facilities which have expressly been approved for use will be made available to users.", - "Status": "Unknown" - }, - { - "Code": "A.9.2.2 ", - "Section": "Access Control - User access management", - "Control": "User access provisioning", - "Requirements": "A formal process for granting access to users should be put in place to grant or remove access privileges for all categories of users to all systems and services.", - "Status": "Unknown" - }, - { - "Code": "A.9.2.3 ", - "Section": "Access Control - User access management", - "Control": "Management of privileged access rights", - "Requirements": "A structured authorizing procedure in accordance with the appropriate access management policies should monitor the allocation and usage of delegated access privileges.", - "Status": "Unknown" - }, - { - "Code": "A.9.2.4 ", - "Section": "Access Control - User access management", - "Control": "Management of secret authentication information of users", - "Requirements": "A structured management process should control the allocation of secret authentication information.", - "Status": "Unknown" - }, - { - "Code": "A.9.2.5 ", - "Section": "Access Control - User access management", - "Control": "Review of user access rights", - "Requirements": "Access rights of users should be reviewed regularly by asset owners.", - "Status": "Unknown" - }, - { - "Code": "A.9.2.6 ", - "Section": "Access Control - User access management", - "Control": "Removal or adjustment of access rights", - "Requirements": "Access rights of all employees and external users to information and information processing facilities should be waived upon termination of jobs, contract or agreement, or changed upon adjustment.", - "Status": "Unknown" - }, - { - "Code": "A.9.3.1 ", - "Section": "Access Control - User responsibilities", - "Control": "Use of secret authentication information of users", - "Requirements": "Use of secret authentication information should be allowed for users to follow the organization’s practices.", - "Status": "Unknown" - }, - { - "Code": "A.9.4.1 ", - "Section": "Access Control - System and application access control", - "Control": "Information access restriction", - "Requirements": "Access controls should be based on individual requirements for business applications and in compliance with a specified access control policy.", - "Status": "Unknown" - }, - { - "Code": "A.9.4.2 ", - "Section": "Access Control - System and application access control", - "Control": "Secure log-on procedures", - "Requirements": "Access to systems and applications should be controlled by a secure log-on procedure when required by the Access Control Policy.", - "Status": "Unknown" - }, - { - "Code": "A.9.4.3 ", - "Section": "Access Control - System and application access control", - "Control": "Password management system", - "Requirements": "Password management systems should be cooperative to ensure the quality of the passwords.", - "Status": "Unknown" - }, - { - "Code": "A.9.4.4 ", - "Section": "Access Control - System and application access control", - "Control": "Use of privileged utility programs", - "Requirements": "The use of utility programs that could bypass system and application controls should be limited and tightly controlled.", - "Status": "Unknown" - }, - { - "Code": "A.9.4.5 ", - "Section": "Access Control - System and application access control", - "Control": "Access control to program source code", - "Requirements": "Access should be limited to the source code of the program.", - "Status": "Unknown" - }, - { - "Code": "A.10.1.1 ", - "Section": "Cryptography - Cryptographic controls", - "Control": "Policy on the use of cryptographic controls", - "Requirements": "A policy on the use of cryptographic controls for protection of information shall be developed and implemented.", - "Status": "Unknown" - }, - { - "Code": "A.10.1.2 ", - "Section": "Cryptography - Cryptographic controls", - "Control": "Key management", - "Requirements": "A policy on the use, security, and lifetime of cryptographic keys should be created and enforced over their entire life cycle.", - "Status": "Unknown" - }, - { - "Code": "A.11.1.1 ", - "Section": "Physical and Environmental Security - Secure Areas", - "Control": "Physical security perimeter", - "Requirements": "Security perimeters should be established in order to secure areas that contain either sensitive or confidential information and information processing facilities.", - "Status": "Unknown" - }, - { - "Code": "A.11.1.2 ", - "Section": "Physical and Environmental Security - Secure Areas", - "Control": "Physical entry controls", - "Requirements": "Appropriate access controls should protect places to ensure that only authorized employees are allowed access.", - "Status": "Unknown" - }, - { - "Code": "A.11.1.3 ", - "Section": "Physical and Environmental Security - Secure Areas", - "Control": "Securing offices, rooms and facilities", - "Requirements": "Physical security should be designed and implemented for the offices, rooms, and facilities.", - "Status": "Unknown" - }, - { - "Code": "A.11.1.4 ", - "Section": "Physical and Environmental Security - Secure Areas", - "Control": "Protecting against external and environmental threats", - "Requirements": "Physical protection should be designed and applied against natural disasters, malicious attacks or accidents.", - "Status": "Unknown" - }, - { - "Code": "A.11.1.5 ", - "Section": "Physical and Environmental Security - Secure Areas", - "Control": "Working in secure areas", - "Requirements": "Procedures should be designed and implemented for working in safe areas.", - "Status": "Unknown" - }, - { - "Code": "A.11.1.6 ", - "Section": "Physical and Environmental Security - Secure Areas", - "Control": "Delivery and loading areas", - "Requirements": "It is important to track and, where possible, differentiate between access points such as the distribution and loading areas and other locations in order to avoid unauthorized access by unauthorized persons to the premises.", - "Status": "Unknown" - }, - { - "Code": "A.11.2.1 ", - "Section": "Physical and Environmental Security - Equipment", - "Control": "Equipment siting and protection", - "Requirements": "To mitigate the risk of environmental hazards, risks, and unauthorized access, the equipment should be sited and secured.", - "Status": "Unknown" - }, - { - "Code": "A.11.2.2 ", - "Section": "Physical and Environmental Security - Equipment", - "Control": "Supporting utilities", - "Requirements": "Equipment should be secured against power failures and other disruptions caused by the supporting infrastructure failures.", - "Status": "Unknown" - }, - { - "Code": "A.11.2.3 ", - "Section": "Physical and Environmental Security - Equipment", - "Control": "Cabling security", - "Requirements": "Cable for power and telecommunications that carry data or support services should be safeguarded against interception, interference, or damage.", - "Status": "Unknown" - }, - { - "Code": "A.11.2.4 ", - "Section": "Physical and Environmental Security - Equipment", - "Control": "Equipment maintenance", - "Requirements": "To ensure its continued availability and integrity, the equipment should be correctly maintained.", - "Status": "Unknown" - }, - { - "Code": "A.11.2.5 ", - "Section": "Physical and Environmental Security - Equipment", - "Control": "Removal of assets", - "Requirements": "Without prior authorization, equipment, information, or software should not be taken off-site.", - "Status": "Unknown" - }, - { - "Code": "A.11.2.6 ", - "Section": "Physical and Environmental Security - Equipment", - "Control": "Security of equipment and assets off-premises", - "Requirements": "The security of off-site assets should be applied to the various risks of working outside the premises of the organization in mind.", - "Status": "Unknown" - }, - { - "Code": "A.11.2.7 ", - "Section": "Physical and Environmental Security - Equipment", - "Control": "Secure disposal or re-use of equipment", - "Requirements": "To avoid the removal or overriding of sensitive data and software by the disposal or reuse of any device containing storage medium, all devices must be reviewed.", - "Status": "Unknown" - }, - { - "Code": "A.11.2.8 ", - "Section": "Physical and Environmental Security - Equipment", - "Control": "Unattended user equipment", - "Requirements": "Unattended equipment should be adequately protected by users.", - "Status": "Unknown" - }, - { - "Code": "A.11.2.9 ", - "Section": "Physical and Environmental Security - Equipment", - "Control": "Clear desk and clear screen policy", - "Requirements": "A clear desk policy should be adopted for papers and removable storage media and a clear screen policy should be applied to information processing facilities.", - "Status": "Unknown" - }, - { - "Code": "A.12.1.1", - "Section": "Operations security - Operational procedures and responsibilities", - "Control": "Documented operating procedures", - "Requirements": "Operating procedures should be documented and accessed by all users in need.", - "Status": "Unknown" - }, - { - "Code": "A.12.1.2 ", - "Section": "Operations security - Operational procedures and responsibilities", - "Control": "Change management", - "Requirements": "Changes in the organization, organizational procedures, information management facilities, and information security systems should be controlled.", - "Status": "Unknown" - }, - { - "Code": "A.12.1.3 ", - "Section": "Operations security - Operational procedures and responsibilities", - "Control": "Capacity management", - "Requirements": "In order to ensure necessary system performance, the use of resources should be monitored, adapted, and projected based on future capacity requirements.", - "Status": "Unknown" - }, - { - "Code": "A.12.1.4 ", - "Section": "Operations security - Operational procedures and responsibilities", - "Control": "Separation of development, testing and operational environments", - "Requirements": "It is important to define and enforce the degree of separation between organizational, testing and development environments needed to avoid operational problems.", - "Status": "Unknown" - }, - { - "Code": "A.12.2.1 ", - "Section": "Operations security - Protection from malware", - "Control": "Controls against malware", - "Requirements": "In combination with appropriate user awareness, the detection, prevention, and recovery controls to protect against malware should be implemented.", - "Status": "Unknown" - }, - { - "Code": "A.12.3.1 ", - "Section": "Operations security - Backup", - "Control": "Information backup", - "Requirements": "In accordance with the agreed backup policy, copies of records, program and device images shall be collected and regularly tested.", - "Status": "Unknown" - }, - { - "Code": "A.12.4.1 ", - "Section": "Operations security - Logging and monitoring", - "Control": "Event logging", - "Requirements": "Event logs should be produced, retained, and regularly reviewed to record user activities, exceptions, defects, and information security events.", - "Status": "Unknown" - }, - { - "Code": "A.12.4.2 ", - "Section": "Operations security - Logging and monitoring", - "Control": "Protection of log information", - "Requirements": "Logging and log information should be secure from intrusion and unauthorized access.", - "Status": "Unknown" - }, - { - "Code": "A.12.4.3 ", - "Section": "Operations security - Logging and monitoring", - "Control": "Administrator and operator logs", - "Requirements": "The activity of the System Manager and System Operator is to be logged, and the logs kept safe and monitored closely.", - "Status": "Unknown" - }, - { - "Code": "A.12.4.4 ", - "Section": "Operations security - Logging and monitoring", - "Control": "Clock synchronization", - "Requirements": "Clocks in all related information management systems should be integrated into a single reference time source for an organization or safety domain.", - "Status": "Unknown" - }, - { - "Code": "A.12.5.1 ", - "Section": "Operations security - Control of operational software", - "Control": "Installation of software on operational systems", - "Requirements": "To control the installation of software on operating systems, procedures should be implemented.", - "Status": "Unknown" - }, - { - "Code": "A.12.6.1 ", - "Section": "Operations security - Technical Vulnerability Management", - "Control": "Management of technical vulnerabilities", - "Requirements": "Information on technological vulnerabilities of information systems used should be obtained in a timely manner, the exposure of the organization to such vulnerabilities should be assessed and appropriate measures taken to address the risk involved", - "Status": "Unknown" - }, - { - "Code": "A.12.6.2 ", - "Section": "Operations security - Technical Vulnerability Management", - "Control": "Restrictions on software installation", - "Requirements": "Users should set and implement rules governing software installation.", - "Status": "Unknown" - }, - { - "Code": "A.12.7.1 ", - "Section": "Operations security - Information systems audit controls", - "Control": "Information system audit controls", - "Requirements": "The audit criteria and activities related to operating system verification should be carefully prepared and decided in order to reduce business process disturbance.", - "Status": "Unknown" - }, - { - "Code": "A.13.1.1 ", - "Section": "Communications security - Network security management", - "Control": "Network controls", - "Requirements": "To protect information in systems and applications, networks should be managed and monitored.", - "Status": "Unknown" - }, - { - "Code": "A.13.1.2 ", - "Section": "Communications security - Network security management", - "Control": "Security of network services", - "Requirements": "Security protocols, quality of service, and management criteria for all network services, whether in-house or outsourced, should be defined and included in-network services agreements.", - "Status": "Unknown" - }, - { - "Code": "A.13.1.3 ", - "Section": "Communications security - Network security management", - "Control": "Segregation in networks", - "Requirements": "Network segregation should be established for information services, users, and information systems.", - "Status": "Unknown" - }, - { - "Code": "A.13.2.1 ", - "Section": "Communications security - Information transfer", - "Control": "Information transfer policies and procedures", - "Requirements": "In order to protect the transferees by using all types of communication facilities, official transfer policies, procedures and controls should be developed.", - "Status": "Unknown" - }, - { - "Code": "A.13.2.2 ", - "Section": "Communications security - Information transfer", - "Control": "Agreements on information transfer", - "Requirements": "Agreements should address secure transfers between the organization and outside parties of business information.", - "Status": "Unknown" - }, - { - "Code": "A.13.2.3 ", - "Section": "Communications security - Information transfer", - "Control": "Electronic messaging", - "Requirements": "Electronic messaging information should be adequately protected.", - "Status": "Unknown" - }, - { - "Code": "A.13.2.4 ", - "Section": "Communications security - Information transfer", - "Control": "Confidentiality or non-disclosure agreements", - "Requirements": "Information protection requirements of the organization for confidentiality or non-disclosure agreements should be identified, regularly reviewed, and documented.", - "Status": "Unknown" - }, - { - "Code": "A.14.1.1 ", - "Section": "System acquisition, development and maintenance - Security requirements of information systems", - "Control": "Security requirements of information systems", - "Requirements": "Information security requirements for new information systems or enhancements to existing information systems should be included", - "Status": "Unknown" - }, - { - "Code": "A.14.1.2 ", - "Section": "System acquisition, development and maintenance - Security requirements of information systems", - "Control": "Securing application services on public networks", - "Requirements": "Application services which pass through public networks should be protected against fraudulent activities, contract disputes, unauthorized disclosure, and modification.", - "Status": "Unknown" - }, - { - "Code": "A.14.1.3 ", - "Section": "System acquisition, development and maintenance - Security requirements of information systems", - "Control": "Protecting application services transactions", - "Requirements": "In order to avoid incomplete transmission, misrouting, unauthorized messaging modification, unauthorized dissemination, unauthorized message replication, or replay, information concerning application service transactions should be covered.", - "Status": "Unknown" - }, - { - "Code": "A.14.2.1 ", - "Section": "System acquisition, development and maintenance - Security in development and support processes", - "Control": "Secure development policy", - "Requirements": "Regulations for software and system development should be laid down and applied to organizational developments.", - "Status": "Unknown" - }, - { - "Code": "A.14.2.2 ", - "Section": "System acquisition, development and maintenance - Security in development and support processes", - "Control": "System change control procedures", - "Requirements": "Changes to processes can be managed through the implementation of structured change control procedures within the software lifecycle.", - "Status": "Unknown" - }, - { - "Code": "A.14.2.3 ", - "Section": "System acquisition, development and maintenance - Security in development and support processes", - "Control": "Technical review of applications after operating platform changes", - "Requirements": "In changing operating platforms, critical applications of business should be revised and tested to ensure no adverse impacts on business or security.", - "Status": "Unknown" - }, - { - "Code": "A.14.2.4 ", - "Section": "System acquisition, development and maintenance - Security in development and support processes", - "Control": "Restrictions on changes to software packages", - "Requirements": "Software package modifications should be discouraged, restricted to the modifications necessary, and all changes controlled strictly.", - "Status": "Unknown" - }, - { - "Code": "A.14.2.5 ", - "Section": "System acquisition, development and maintenance - Security in development and support processes", - "Control": "Secure system engineering principles", - "Requirements": "In the implementation of any information system implementation project, standards for secure system engineered must be established, documented, maintained, and implemented.", - "Status": "Unknown" - }, - { - "Code": "A.14.2.6 ", - "Section": "System acquisition, development and maintenance - Security in development and support processes", - "Control": "Secure development environment", - "Requirements": "Organizations should create secure development environments and integration efforts for the entire life cycle of system development, and should be adequately protected.", - "Status": "Unknown" - }, - { - "Code": "A.14.2.7 ", - "Section": "System acquisition, development and maintenance - Security in development and support processes", - "Control": "Outsourced development", - "Requirements": "The organization must monitor activity for the development of the outsourced system.", - "Status": "Unknown" - }, - { - "Code": "A.14.2.8 ", - "Section": "System acquisition, development and maintenance - Security in development and support processes", - "Control": "System security testing", - "Requirements": "During development, security functionality test should be conducted.", - "Status": "Unknown" - }, - { - "Code": "A.14.2.9 ", - "Section": "System acquisition, development and maintenance - Security in development and support processes", - "Control": "System acceptance testing", - "Requirements": "New information systems, enhancements, and updated versions should be equipped with acceptance testing services and related requirements.", - "Status": "Unknown" - }, - { - "Code": "A.14.3.1 ", - "Section": "System acquisition, development and maintenance - Test data", - "Control": "Protection of test data", - "Requirements": "Careful collection, security, and review of test data should be performed.", - "Status": "Unknown" - }, - { - "Code": "A.15.1.1 ", - "Section": "Supplier relationships - Supplier relationships", - "Control": "Information security policy for supplier relationships", - "Requirements": "The supplier should be agreed with and documented information security requirements related to the risk mitigation of access by suppliers to organizational assets.", - "Status": "Unknown" - }, - { - "Code": "A.15.1.2 ", - "Section": "Supplier relationships - Supplier relationships", - "Control": "Addressing security within supplier agreements", - "Requirements": "Any suppliers that view, process, store, communicate or provide IT infrastructure component information for the organization should be defined and agreed with all applicable information security requirements.", - "Status": "Unknown" - }, - { - "Code": "A.15.1.3 ", - "Section": "Supplier relationships - Supplier relationships", - "Control": "Information and communication technology supply chain", - "Requirements": "Supplier agreements will contain provisions to mitigate information security risks associated with IT Services and the product supply chain.", - "Status": "Unknown" - }, - { - "Code": "A.15.2.1 ", - "Section": "Supplier relationships - Supplier service delivery management", - "Control": "Monitoring and review of supplier services", - "Requirements": "Organizations shall monitor, review and audit the provision of service to suppliers on a regular basis.", - "Status": "Unknown" - }, - { - "Code": "A.15.2.2 ", - "Section": "Supplier relationships - Supplier service delivery management", - "Control": "Managing changes to supplier services", - "Requirements": "Change in the provision of services by providers should be managed with the focus on the criticality of enterprise information, systems, processes, and reassessment of risks and should include maintaining and improving existing information security policies, procedures, and controls.", - "Status": "Unknown" - }, - { - "Code": "A.16.1.1 ", - "Section": "Information security incident management - Management of information security incidents and improvements", - "Control": "Responsibilities and procedures", - "Requirements": "In order to ensure a quick, efficient, and organized response to ISO 27001 Annex : A.16 Information Security Incident Management roles and procedures should be defined.", - "Status": "Unknown" - }, - { - "Code": "A.16.1.2 ", - "Section": "Information security incident management - Management of information security incidents and improvements", - "Control": "Reporting information security events", - "Requirements": "Information security incidents should be reported as quickly as possible through appropriate management channels.", - "Status": "Unknown" - }, - { - "Code": "A.16.1.3 ", - "Section": "Information security incident management - Management of information security incidents and improvements", - "Control": "Reporting information security weaknesses", - "Requirements": "Any information security vulnerabilities found or suspected in systems or services in which employees and contractors are using the information systems and services of the organization should be recorded and documented.", - "Status": "Unknown" - }, - { - "Code": "A.16.1.4 ", - "Section": "Information security incident management - Management of information security incidents and improvements", - "Control": "Assessment of and decision on information security events", - "Requirements": "Information security events should be analyzed and determined whether they should be listed as incidents related to information security.", - "Status": "Unknown" - }, - { - "Code": "A.16.1.5 ", - "Section": "Information security incident management - Management of information security incidents and improvements", - "Control": "Response to information security incidents", - "Requirements": "In the context of the documented procedures, information security incidents should be responded to.", - "Status": "Unknown" - }, - { - "Code": "A.16.1.6 ", - "Section": "Information security incident management - Management of information security incidents and improvements", - "Control": "Learning from information security incidents", - "Requirements": "To minimize the risk or effect of potential accidents, the experience obtained from the study and mitigation of information security accidents should be used.", - "Status": "Unknown" - }, - { - "Code": "A.16.1.7 ", - "Section": "Information security incident management - Management of information security incidents and improvements", - "Control": "Collection of evidence", - "Requirements": "The organization will define, obtain, procure and retain information as documentation and implement procedures.", - "Status": "Unknown" - }, - { - "Code": "A.17.1.1 ", - "Section": "Information security aspects of business continuity management - Information security continuity", - "Control": "Planning information security continuity", - "Requirements": "In adverse circumstances, e.g. during a crisis or a catastrophe, the company will determine the information security standards and consistency of information security management.", - "Status": "Unknown" - }, - { - "Code": "A.17.1.2", - "Section": "Information security aspects of business continuity management - Information security continuity", - "Control": "Implementing information security continuity", - "Requirements": "In order to ensure the necessary degree of consistency of information security to adverse circumstances, the company should define, document, execute, and maintain processes, procedures, and controls.", - "Status": "Unknown" - }, - { - "Code": "A.17.1.3 ", - "Section": "Information security aspects of business continuity management - Information security continuity", - "Control": "Verify, review and evaluate information security continuity", - "Requirements": "In order to ensure accurate and productive to adverse circumstances, the company must review on-going controls on safety information defined and enforced at regular intervals.", - "Status": "Unknown" - }, - { - "Code": "A.17.2.1 ", - "Section": "Information security aspects of business continuity management - Redundancies", - "Control": "Availability of information processing facilities", - "Requirements": "How information processing facilities are implemented with redundancy sufficiency to meet availability requirements. Redundancy refers to implementing, typically, duplicate hardware to ensure availability of information processing systems.", - "Status": "Unknown" - }, - { - "Code": "A.18.1.1 ", - "Section": "Compliance - Compliance with legal and contractual requirements", - "Control": "Identification of applicable legislation and contractual requirements", - "Requirements": "Each of information systems and organizations should specifically identify, document, and update all relevant statutory, regulatory, contractual requirements, and the approach of the organization towards compliance with these requirements.", - "Status": "Unknown" - }, - { - "Code": "A.18.1.2 ", - "Section": "Compliance - Compliance with legal and contractual requirements", - "Control": "Intellectual property rights", - "Requirements": "Proper procedures will be followed to ensure that the legal, regulatory, and contractual provisions relating to ownership of intellectual property and the use of proprietary software products are complied upon.", - "Status": "Unknown" - }, - { - "Code": "A.18.1.3 ", - "Section": "Compliance - Compliance with legal and contractual requirements", - "Control": "Protection of records", - "Requirements": "In accordance with the provisions to legislative, regulatory, contractual, and business requirements, to protect from loss, destruction, falsification, and unauthorized access and unauthorized release.", - "Status": "Unknown" - }, - { - "Code": "A.18.1.4 ", - "Section": "Compliance - Compliance with legal and contractual requirements", - "Control": "Privacy and protection of personally identifiable information", - "Requirements": "Privacy and protection of personal data should be guaranteed, as required, in applicable laws and regulations.", - "Status": "Unknown" - }, - { - "Code": "A.18.1.5 ", - "Section": "Compliance - Compliance with legal and contractual requirements", - "Control": "Regulation of cryptographic controls", - "Requirements": "In accordance with all relevant agreements, legislation, and regulations, cryptographic controls must be used.", - "Status": "Unknown" - }, - { - "Code": "A.18.2.1 ", - "Section": "Compliance - Information security reviews", - "Control": "Independent review of information security", - "Requirements": "Each of these information systems and organizations should specifically identify, document, and update all relevant statutory, regulatory, contractual requirements, and the approach of the organization towards compliance with these requirements.", - "Status": "Unknown" - }, - { - "Code": "A.18.2.2 ", - "Section": "Compliance - Information security reviews", - "Control": "Compliance with security policies and standards", - "Requirements": "Proper procedures will be followed to ensure that the legal, regulatory, and contractual provisions relating to ownership of intellectual property and the use of proprietary software products are complied upon.", - "Status": "Unknown" - }, - { - "Code": "A.18.2.3 ", - "Section": "Compliance - Information security reviews", - "Control": "Technical compliance review", - "Requirements": "Information systems for compliance with the Information Security Policies and practices of an organization should be periodically reviewed.", - "Status": "Unknown" - } -] \ No newline at end of file +[ + { + "Code": "A.5.1.1", + "Section": "Information security policies - Management direction for information security", + "Control": "Policies for information security", + "Requirements": "A set of policies for information and cybersecurity shall be defined, approved by C-level, published and communicated to employees and relevant external parties.", + "Status": "Unknown" + }, + { + "Code": "A.5.1.2", + "Section": "Information security policies - Management direction for information security", + "Control": "Review of the policies for information security", + "Requirements": "The policies for information and cybersecurity shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, communication and effectiveness.", + "Status": "Unknown" + }, + { + "Code": "A.6.1.1", + "Section": "Organization of information security - Internal Organization", + "Control": "Information security roles and responsibilities", + "Requirements": "All information and cybersecurity roles and responsibilities shall be defined and allocated.", + "Status": "Unknown" + }, + { + "Code": "A.6.1.2", + "Section": "Organization of information security - Internal Organization", + "Control": "Segregation of duties", + "Requirements": "Conflicting tasks and areas of responsibility should be separated to reduce opportunities to change or misuse the assets of the organization without permission or unintended.", + "Status": "Unknown" + }, + { + "Code": "A.6.1.3", + "Section": "Organization of information security - Internal Organization", + "Control": "Contact with authorities", + "Requirements": "It is necessary to maintain proper communications with the relevant authorities.", + "Status": "Unknown" + }, + { + "Code": "A.6.1.4", + "Section": "Organization of information security - Internal Organization", + "Control": "Contact with special interest groups", + "Requirements": "Appropriate connections should be established with special interest organizations or other forums for professional security and professional associations.", + "Status": "Unknown" + }, + { + "Code": "A.6.1.5", + "Section": "Organization of information security - Internal Organization", + "Control": "Information security in project management", + "Requirements": "Throughout project management, the confidentiality of information should be discussed irrespective of project type", + "Status": "Unknown" + }, + { + "Code": "A.6.2.1", + "Section": "Organization of information security - Mobile devices and teleworking", + "Control": "Mobile device policy", + "Requirements": "To manage the risks introduced by the use of mobile devices, a policy and supporting safety measures should be adopted.", + "Status": "Unknown" + }, + { + "Code": "A.6.2.2", + "Section": "Organization of information security - Mobile devices and teleworking", + "Control": "Teleworking", + "Requirements": "To guard the accessed, processed, or stored information at teleworking sites, a policy and supporting security measures should be implemented.", + "Status": "Unknown" + }, + { + "Code": "A.7.1.1", + "Section": "Human Resources Security - Prior to employment", + "Control": "Screening", + "Requirements": "Background verification checks on all job applicants will be performed in compliance with applicable rules, legislation, and ethics and should be proportionate to business criteria, classification of the information to be obtained, and potential risks.", + "Status": "Unknown" + }, + { + "Code": "A.7.1.2", + "Section": "Human Resources Security - Prior to employment", + "Control": "Terms and conditions of employment", + "Requirements": "Contract agreements with employees and contractors would set out their responsibility for information security, and hence the responsibility of the company.", + "Status": "Unknown" + }, + { + "Code": "A.7.2.1 ", + "Section": "Human Resources Security - During employment", + "Control": "Management responsibilities", + "Requirements": "Management should mandate all employees and contractors to exercise information security in accordance with established policies and procedures set by the organization.", + "Status": "Unknown" + }, + { + "Code": "A.7.2.2 ", + "Section": "Human Resources Security - During employment", + "Control": "Information security awareness, education and training", + "Requirements": "All company workers and, where necessary, contractors will receive adequate awareness education and training, as well as daily updates on organizational policies and procedures, as applicable to their job function.", + "Status": "Unknown" + }, + { + "Code": "A.7.2.3 ", + "Section": "Human Resources Security - During employment", + "Control": "Disciplinary process", + "Requirements": "A formal and informed administrative process will be in place to take action against employees who have committed an information security breach.", + "Status": "Unknown" + }, + { + "Code": "A.7.3.1 ", + "Section": "Human Resources Security - Termination and change of employment", + "Control": "Termination or change of employment responsibilities", + "Requirements": "Responsibility and information/cyber security requirements that continue to be valid following termination or change of employment must be defined, communicated to, and implemented by the employee or contractor.", + "Status": "Unknown" + }, + { + "Code": "A.8.1.1", + "Section": "Asset Management - Responsibility for assets", + "Control": "Inventory of assets", + "Requirements": "Assets related to information and information facilities of an organization should be identified and listed, inventory of these assets should also be maintained.", + "Status": "Unknown" + }, + { + "Code": "A.8.1.2", + "Section": "Asset Management - Responsibility for assets", + "Control": "Ownership of assets", + "Requirements": "Assets in the inventory should have their owners (Asset-owner)", + "Status": "Unknown" + }, + { + "Code": "A.8.1.3", + "Section": "Asset Management - Responsibility for assets", + "Control": "Acceptable use of assets", + "Requirements": "Rules should be identified, documented, and implemented for the acceptable use of information and assets linked to information and information processing facilities.", + "Status": "Unknown" + }, + { + "Code": "A.8.1.4 ", + "Section": "Asset Management - Responsibility for assets", + "Control": "Return of assets", + "Requirements": "Both workers and external stakeholders must return all the organizational assets in their possession upon termination of their job, contract or agreement", + "Status": "Unknown" + }, + { + "Code": "A.8.2.1 ", + "Section": "Asset Management - Information classification", + "Control": "Classification of information", + "Requirements": "Information should be classification in the basis of their legal provisions, criticality, and vulnerability to unwanted release or alteration", + "Status": "Unknown" + }, + { + "Code": "A.8.2.2 ", + "Section": "Asset Management - Information classification", + "Control": "Labelling of information", + "Requirements": "In accordance with the information classification scheme adopted by the organization, an adequate set of methods for labelling information should be established and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.8.2.3 ", + "Section": "Asset Management - Information classification", + "Control": "Handling of assets", + "Requirements": "Handling of assets in accordance with the organization’s information classification scheme should be developed and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.8.3.1 ", + "Section": "Asset Management - Media handling", + "Control": "Management of removable media", + "Requirements": "Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.", + "Status": "Unknown" + }, + { + "Code": "A.8.3.2 ", + "Section": "Asset Management - Media handling", + "Control": "Disposal of media", + "Requirements": "When not required by specific protocols, media should be disposed of securely.", + "Status": "Unknown" + }, + { + "Code": "A.8.3.3 ", + "Section": "Asset Management - Media handling", + "Control": "Physical media transfer", + "Requirements": "Information media should be protected from unauthorized access, misuse or corruption during transportation.", + "Status": "Unknown" + }, + { + "Code": "A.9.1.1 ", + "Section": "Access Control - Business requirements of access control", + "Control": "Access control policy", + "Requirements": "An access control policy with supporting business and information security requirements should be established, documented, and reviewed.", + "Status": "Unknown" + }, + { + "Code": "A.9.1.2 ", + "Section": "Access Control - Business requirements of access control", + "Control": "Access to networks and network services", + "Requirements": "Only network and network facilities which have expressly been approved for use will be made available to users.", + "Status": "Unknown" + }, + { + "Code": "A.9.2.1 ", + "Section": "Access Control - User access management", + "Control": "User registration and de-registration", + "Requirements": "Only network and network facilities which have expressly been approved for use will be made available to users.", + "Status": "Unknown" + }, + { + "Code": "A.9.2.2 ", + "Section": "Access Control - User access management", + "Control": "User access provisioning", + "Requirements": "A formal process for granting access to users should be put in place to grant or remove access privileges for all categories of users to all systems and services.", + "Status": "Unknown" + }, + { + "Code": "A.9.2.3 ", + "Section": "Access Control - User access management", + "Control": "Management of privileged access rights", + "Requirements": "A structured authorizing procedure in accordance with the appropriate access management policies should monitor the allocation and usage of delegated access privileges.", + "Status": "Unknown" + }, + { + "Code": "A.9.2.4 ", + "Section": "Access Control - User access management", + "Control": "Management of secret authentication information of users", + "Requirements": "A structured management process should control the allocation of secret authentication information.", + "Status": "Unknown" + }, + { + "Code": "A.9.2.5 ", + "Section": "Access Control - User access management", + "Control": "Review of user access rights", + "Requirements": "Access rights of users should be reviewed regularly by asset owners.", + "Status": "Unknown" + }, + { + "Code": "A.9.2.6 ", + "Section": "Access Control - User access management", + "Control": "Removal or adjustment of access rights", + "Requirements": "Access rights of all employees and external users to information and information processing facilities should be waived upon termination of jobs, contract or agreement, or changed upon adjustment.", + "Status": "Unknown" + }, + { + "Code": "A.9.3.1 ", + "Section": "Access Control - User responsibilities", + "Control": "Use of secret authentication information of users", + "Requirements": "Use of secret authentication information should be allowed for users to follow the organization’s practices.", + "Status": "Unknown" + }, + { + "Code": "A.9.4.1 ", + "Section": "Access Control - System and application access control", + "Control": "Information access restriction", + "Requirements": "Access controls should be based on individual requirements for business applications and in compliance with a specified access control policy.", + "Status": "Unknown" + }, + { + "Code": "A.9.4.2 ", + "Section": "Access Control - System and application access control", + "Control": "Secure log-on procedures", + "Requirements": "Access to systems and applications should be controlled by a secure log-on procedure when required by the Access Control Policy.", + "Status": "Unknown" + }, + { + "Code": "A.9.4.3 ", + "Section": "Access Control - System and application access control", + "Control": "Password management system", + "Requirements": "Password management systems should be cooperative to ensure the quality of the passwords.", + "Status": "Unknown" + }, + { + "Code": "A.9.4.4 ", + "Section": "Access Control - System and application access control", + "Control": "Use of privileged utility programs", + "Requirements": "The use of utility programs that could bypass system and application controls should be limited and tightly controlled.", + "Status": "Unknown" + }, + { + "Code": "A.9.4.5 ", + "Section": "Access Control - System and application access control", + "Control": "Access control to program source code", + "Requirements": "Access should be limited to the source code of the program.", + "Status": "Unknown" + }, + { + "Code": "A.10.1.1 ", + "Section": "Cryptography - Cryptographic controls", + "Control": "Policy on the use of cryptographic controls", + "Requirements": "A policy on the use of cryptographic controls for protection of information shall be developed and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.10.1.2 ", + "Section": "Cryptography - Cryptographic controls", + "Control": "Key management", + "Requirements": "A policy on the use, security, and lifetime of cryptographic keys should be created and enforced over their entire life cycle.", + "Status": "Unknown" + }, + { + "Code": "A.11.1.1 ", + "Section": "Physical and Environmental Security - Secure Areas", + "Control": "Physical security perimeter", + "Requirements": "Security perimeters should be established in order to secure areas that contain either sensitive or confidential information and information processing facilities.", + "Status": "Unknown" + }, + { + "Code": "A.11.1.2 ", + "Section": "Physical and Environmental Security - Secure Areas", + "Control": "Physical entry controls", + "Requirements": "Appropriate access controls should protect places to ensure that only authorized employees are allowed access.", + "Status": "Unknown" + }, + { + "Code": "A.11.1.3 ", + "Section": "Physical and Environmental Security - Secure Areas", + "Control": "Securing offices, rooms and facilities", + "Requirements": "Physical security should be designed and implemented for the offices, rooms, and facilities.", + "Status": "Unknown" + }, + { + "Code": "A.11.1.4 ", + "Section": "Physical and Environmental Security - Secure Areas", + "Control": "Protecting against external and environmental threats", + "Requirements": "Physical protection should be designed and applied against natural disasters, malicious attacks or accidents.", + "Status": "Unknown" + }, + { + "Code": "A.11.1.5 ", + "Section": "Physical and Environmental Security - Secure Areas", + "Control": "Working in secure areas", + "Requirements": "Procedures should be designed and implemented for working in safe areas.", + "Status": "Unknown" + }, + { + "Code": "A.11.1.6 ", + "Section": "Physical and Environmental Security - Secure Areas", + "Control": "Delivery and loading areas", + "Requirements": "It is important to track and, where possible, differentiate between access points such as the distribution and loading areas and other locations in order to avoid unauthorized access by unauthorized persons to the premises.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.1 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Equipment siting and protection", + "Requirements": "To mitigate the risk of environmental hazards, risks, and unauthorized access, the equipment should be sited and secured.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.2 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Supporting utilities", + "Requirements": "Equipment should be secured against power failures and other disruptions caused by the supporting infrastructure failures.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.3 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Cabling security", + "Requirements": "Cable for power and telecommunications that carry data or support services should be safeguarded against interception, interference, or damage.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.4 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Equipment maintenance", + "Requirements": "To ensure its continued availability and integrity, the equipment should be correctly maintained.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.5 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Removal of assets", + "Requirements": "Without prior authorization, equipment, information, or software should not be taken off-site.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.6 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Security of equipment and assets off-premises", + "Requirements": "The security of off-site assets should be applied to the various risks of working outside the premises of the organization in mind.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.7 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Secure disposal or re-use of equipment", + "Requirements": "To avoid the removal or overriding of sensitive data and software by the disposal or reuse of any device containing storage medium, all devices must be reviewed.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.8 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Unattended user equipment", + "Requirements": "Unattended equipment should be adequately protected by users.", + "Status": "Unknown" + }, + { + "Code": "A.11.2.9 ", + "Section": "Physical and Environmental Security - Equipment", + "Control": "Clear desk and clear screen policy", + "Requirements": "A clear desk policy should be adopted for papers and removable storage media and a clear screen policy should be applied to information processing facilities.", + "Status": "Unknown" + }, + { + "Code": "A.12.1.1", + "Section": "Operations security - Operational procedures and responsibilities", + "Control": "Documented operating procedures", + "Requirements": "Operating procedures should be documented and accessed by all users in need.", + "Status": "Unknown" + }, + { + "Code": "A.12.1.2 ", + "Section": "Operations security - Operational procedures and responsibilities", + "Control": "Change management", + "Requirements": "Changes in the organization, organizational procedures, information management facilities, and information security systems should be controlled.", + "Status": "Unknown" + }, + { + "Code": "A.12.1.3 ", + "Section": "Operations security - Operational procedures and responsibilities", + "Control": "Capacity management", + "Requirements": "In order to ensure necessary system performance, the use of resources should be monitored, adapted, and projected based on future capacity requirements.", + "Status": "Unknown" + }, + { + "Code": "A.12.1.4 ", + "Section": "Operations security - Operational procedures and responsibilities", + "Control": "Separation of development, testing and operational environments", + "Requirements": "It is important to define and enforce the degree of separation between organizational, testing and development environments needed to avoid operational problems.", + "Status": "Unknown" + }, + { + "Code": "A.12.2.1 ", + "Section": "Operations security - Protection from malware", + "Control": "Controls against malware", + "Requirements": "In combination with appropriate user awareness, the detection, prevention, and recovery controls to protect against malware should be implemented.", + "Status": "Unknown" + }, + { + "Code": "A.12.3.1 ", + "Section": "Operations security - Backup", + "Control": "Information backup", + "Requirements": "In accordance with the agreed backup policy, copies of records, program and device images shall be collected and regularly tested.", + "Status": "Unknown" + }, + { + "Code": "A.12.4.1 ", + "Section": "Operations security - Logging and monitoring", + "Control": "Event logging", + "Requirements": "Event logs should be produced, retained, and regularly reviewed to record user activities, exceptions, defects, and information security events.", + "Status": "Unknown" + }, + { + "Code": "A.12.4.2 ", + "Section": "Operations security - Logging and monitoring", + "Control": "Protection of log information", + "Requirements": "Logging and log information should be secure from intrusion and unauthorized access.", + "Status": "Unknown" + }, + { + "Code": "A.12.4.3 ", + "Section": "Operations security - Logging and monitoring", + "Control": "Administrator and operator logs", + "Requirements": "The activity of the System Manager and System Operator is to be logged, and the logs kept safe and monitored closely.", + "Status": "Unknown" + }, + { + "Code": "A.12.4.4 ", + "Section": "Operations security - Logging and monitoring", + "Control": "Clock synchronization", + "Requirements": "Clocks in all related information management systems should be integrated into a single reference time source for an organization or safety domain.", + "Status": "Unknown" + }, + { + "Code": "A.12.5.1 ", + "Section": "Operations security - Control of operational software", + "Control": "Installation of software on operational systems", + "Requirements": "To control the installation of software on operating systems, procedures should be implemented.", + "Status": "Unknown" + }, + { + "Code": "A.12.6.1 ", + "Section": "Operations security - Technical Vulnerability Management", + "Control": "Management of technical vulnerabilities", + "Requirements": "Information on technological vulnerabilities of information systems used should be obtained in a timely manner, the exposure of the organization to such vulnerabilities should be assessed and appropriate measures taken to address the risk involved", + "Status": "Unknown" + }, + { + "Code": "A.12.6.2 ", + "Section": "Operations security - Technical Vulnerability Management", + "Control": "Restrictions on software installation", + "Requirements": "Users should set and implement rules governing software installation.", + "Status": "Unknown" + }, + { + "Code": "A.12.7.1 ", + "Section": "Operations security - Information systems audit controls", + "Control": "Information system audit controls", + "Requirements": "The audit criteria and activities related to operating system verification should be carefully prepared and decided in order to reduce business process disturbance.", + "Status": "Unknown" + }, + { + "Code": "A.13.1.1 ", + "Section": "Communications security - Network security management", + "Control": "Network controls", + "Requirements": "To protect information in systems and applications, networks should be managed and monitored.", + "Status": "Unknown" + }, + { + "Code": "A.13.1.2 ", + "Section": "Communications security - Network security management", + "Control": "Security of network services", + "Requirements": "Security protocols, quality of service, and management criteria for all network services, whether in-house or outsourced, should be defined and included in-network services agreements.", + "Status": "Unknown" + }, + { + "Code": "A.13.1.3 ", + "Section": "Communications security - Network security management", + "Control": "Segregation in networks", + "Requirements": "Network segregation should be established for information services, users, and information systems.", + "Status": "Unknown" + }, + { + "Code": "A.13.2.1 ", + "Section": "Communications security - Information transfer", + "Control": "Information transfer policies and procedures", + "Requirements": "In order to protect the transferees by using all types of communication facilities, official transfer policies, procedures and controls should be developed.", + "Status": "Unknown" + }, + { + "Code": "A.13.2.2 ", + "Section": "Communications security - Information transfer", + "Control": "Agreements on information transfer", + "Requirements": "Agreements should address secure transfers between the organization and outside parties of business information.", + "Status": "Unknown" + }, + { + "Code": "A.13.2.3 ", + "Section": "Communications security - Information transfer", + "Control": "Electronic messaging", + "Requirements": "Electronic messaging information should be adequately protected.", + "Status": "Unknown" + }, + { + "Code": "A.13.2.4 ", + "Section": "Communications security - Information transfer", + "Control": "Confidentiality or non-disclosure agreements", + "Requirements": "Information protection requirements of the organization for confidentiality or non-disclosure agreements should be identified, regularly reviewed, and documented.", + "Status": "Unknown" + }, + { + "Code": "A.14.1.1 ", + "Section": "System acquisition, development and maintenance - Security requirements of information systems", + "Control": "Security requirements of information systems", + "Requirements": "Information security requirements for new information systems or enhancements to existing information systems should be included", + "Status": "Unknown" + }, + { + "Code": "A.14.1.2 ", + "Section": "System acquisition, development and maintenance - Security requirements of information systems", + "Control": "Securing application services on public networks", + "Requirements": "Application services which pass through public networks should be protected against fraudulent activities, contract disputes, unauthorized disclosure, and modification.", + "Status": "Unknown" + }, + { + "Code": "A.14.1.3 ", + "Section": "System acquisition, development and maintenance - Security requirements of information systems", + "Control": "Protecting application services transactions", + "Requirements": "In order to avoid incomplete transmission, misrouting, unauthorized messaging modification, unauthorized dissemination, unauthorized message replication, or replay, information concerning application service transactions should be covered.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.1 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "Secure development policy", + "Requirements": "Regulations for software and system development should be laid down and applied to organizational developments.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.2 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "System change control procedures", + "Requirements": "Changes to processes can be managed through the implementation of structured change control procedures within the software lifecycle.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.3 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "Technical review of applications after operating platform changes", + "Requirements": "In changing operating platforms, critical applications of business should be revised and tested to ensure no adverse impacts on business or security.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.4 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "Restrictions on changes to software packages", + "Requirements": "Software package modifications should be discouraged, restricted to the modifications necessary, and all changes controlled strictly.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.5 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "Secure system engineering principles", + "Requirements": "In the implementation of any information system implementation project, standards for secure system engineered must be established, documented, maintained, and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.6 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "Secure development environment", + "Requirements": "Organizations should create secure development environments and integration efforts for the entire life cycle of system development, and should be adequately protected.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.7 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "Outsourced development", + "Requirements": "The organization must monitor activity for the development of the outsourced system.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.8 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "System security testing", + "Requirements": "During development, security functionality test should be conducted.", + "Status": "Unknown" + }, + { + "Code": "A.14.2.9 ", + "Section": "System acquisition, development and maintenance - Security in development and support processes", + "Control": "System acceptance testing", + "Requirements": "New information systems, enhancements, and updated versions should be equipped with acceptance testing services and related requirements.", + "Status": "Unknown" + }, + { + "Code": "A.14.3.1 ", + "Section": "System acquisition, development and maintenance - Test data", + "Control": "Protection of test data", + "Requirements": "Careful collection, security, and review of test data should be performed.", + "Status": "Unknown" + }, + { + "Code": "A.15.1.1 ", + "Section": "Supplier relationships - Supplier relationships", + "Control": "Information security policy for supplier relationships", + "Requirements": "The supplier should be agreed with and documented information security requirements related to the risk mitigation of access by suppliers to organizational assets.", + "Status": "Unknown" + }, + { + "Code": "A.15.1.2 ", + "Section": "Supplier relationships - Supplier relationships", + "Control": "Addressing security within supplier agreements", + "Requirements": "Any suppliers that view, process, store, communicate or provide IT infrastructure component information for the organization should be defined and agreed with all applicable information security requirements.", + "Status": "Unknown" + }, + { + "Code": "A.15.1.3 ", + "Section": "Supplier relationships - Supplier relationships", + "Control": "Information and communication technology supply chain", + "Requirements": "Supplier agreements will contain provisions to mitigate information security risks associated with IT Services and the product supply chain.", + "Status": "Unknown" + }, + { + "Code": "A.15.2.1 ", + "Section": "Supplier relationships - Supplier service delivery management", + "Control": "Monitoring and review of supplier services", + "Requirements": "Organizations shall monitor, review and audit the provision of service to suppliers on a regular basis.", + "Status": "Unknown" + }, + { + "Code": "A.15.2.2 ", + "Section": "Supplier relationships - Supplier service delivery management", + "Control": "Managing changes to supplier services", + "Requirements": "Change in the provision of services by providers should be managed with the focus on the criticality of enterprise information, systems, processes, and reassessment of risks and should include maintaining and improving existing information security policies, procedures, and controls.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.1 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Responsibilities and procedures", + "Requirements": "In order to ensure a quick, efficient, and organized response to ISO 27001 Annex : A.16 Information Security Incident Management roles and procedures should be defined.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.2 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Reporting information security events", + "Requirements": "Information security incidents should be reported as quickly as possible through appropriate management channels.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.3 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Reporting information security weaknesses", + "Requirements": "Any information security vulnerabilities found or suspected in systems or services in which employees and contractors are using the information systems and services of the organization should be recorded and documented.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.4 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Assessment of and decision on information security events", + "Requirements": "Information security events should be analyzed and determined whether they should be listed as incidents related to information security.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.5 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Response to information security incidents", + "Requirements": "In the context of the documented procedures, information security incidents should be responded to.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.6 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Learning from information security incidents", + "Requirements": "To minimize the risk or effect of potential accidents, the experience obtained from the study and mitigation of information security accidents should be used.", + "Status": "Unknown" + }, + { + "Code": "A.16.1.7 ", + "Section": "Information security incident management - Management of information security incidents and improvements", + "Control": "Collection of evidence", + "Requirements": "The organization will define, obtain, procure and retain information as documentation and implement procedures.", + "Status": "Unknown" + }, + { + "Code": "A.17.1.1 ", + "Section": "Information security aspects of business continuity management - Information security continuity", + "Control": "Planning information security continuity", + "Requirements": "In adverse circumstances, e.g. during a crisis or a catastrophe, the company will determine the information security standards and consistency of information security management.", + "Status": "Unknown" + }, + { + "Code": "A.17.1.2", + "Section": "Information security aspects of business continuity management - Information security continuity", + "Control": "Implementing information security continuity", + "Requirements": "In order to ensure the necessary degree of consistency of information security to adverse circumstances, the company should define, document, execute, and maintain processes, procedures, and controls.", + "Status": "Unknown" + }, + { + "Code": "A.17.1.3 ", + "Section": "Information security aspects of business continuity management - Information security continuity", + "Control": "Verify, review and evaluate information security continuity", + "Requirements": "In order to ensure accurate and productive to adverse circumstances, the company must review on-going controls on safety information defined and enforced at regular intervals.", + "Status": "Unknown" + }, + { + "Code": "A.17.2.1 ", + "Section": "Information security aspects of business continuity management - Redundancies", + "Control": "Availability of information processing facilities", + "Requirements": "How information processing facilities are implemented with redundancy sufficiency to meet availability requirements. Redundancy refers to implementing, typically, duplicate hardware to ensure availability of information processing systems.", + "Status": "Unknown" + }, + { + "Code": "A.18.1.1 ", + "Section": "Compliance - Compliance with legal and contractual requirements", + "Control": "Identification of applicable legislation and contractual requirements", + "Requirements": "Each of information systems and organizations should specifically identify, document, and update all relevant statutory, regulatory, contractual requirements, and the approach of the organization towards compliance with these requirements.", + "Status": "Unknown" + }, + { + "Code": "A.18.1.2 ", + "Section": "Compliance - Compliance with legal and contractual requirements", + "Control": "Intellectual property rights", + "Requirements": "Proper procedures will be followed to ensure that the legal, regulatory, and contractual provisions relating to ownership of intellectual property and the use of proprietary software products are complied upon.", + "Status": "Unknown" + }, + { + "Code": "A.18.1.3 ", + "Section": "Compliance - Compliance with legal and contractual requirements", + "Control": "Protection of records", + "Requirements": "In accordance with the provisions to legislative, regulatory, contractual, and business requirements, to protect from loss, destruction, falsification, and unauthorized access and unauthorized release.", + "Status": "Unknown" + }, + { + "Code": "A.18.1.4 ", + "Section": "Compliance - Compliance with legal and contractual requirements", + "Control": "Privacy and protection of personally identifiable information", + "Requirements": "Privacy and protection of personal data should be guaranteed, as required, in applicable laws and regulations.", + "Status": "Unknown" + }, + { + "Code": "A.18.1.5 ", + "Section": "Compliance - Compliance with legal and contractual requirements", + "Control": "Regulation of cryptographic controls", + "Requirements": "In accordance with all relevant agreements, legislation, and regulations, cryptographic controls must be used.", + "Status": "Unknown" + }, + { + "Code": "A.18.2.1 ", + "Section": "Compliance - Information security reviews", + "Control": "Independent review of information security", + "Requirements": "Each of these information systems and organizations should specifically identify, document, and update all relevant statutory, regulatory, contractual requirements, and the approach of the organization towards compliance with these requirements.", + "Status": "Unknown" + }, + { + "Code": "A.18.2.2 ", + "Section": "Compliance - Information security reviews", + "Control": "Compliance with security policies and standards", + "Requirements": "Proper procedures will be followed to ensure that the legal, regulatory, and contractual provisions relating to ownership of intellectual property and the use of proprietary software products are complied upon.", + "Status": "Unknown" + }, + { + "Code": "A.18.2.3 ", + "Section": "Compliance - Information security reviews", + "Control": "Technical compliance review", + "Requirements": "Information systems for compliance with the Information Security Policies and practices of an organization should be periodically reviewed.", + "Status": "Unknown" + } +] diff --git a/components/defaultLanding/data/ISO-CSC-controls-2022.json b/components/defaultLanding/data/ISO-CSC-controls-2022.json index e319b852..37e88318 100644 --- a/components/defaultLanding/data/ISO-CSC-controls-2022.json +++ b/components/defaultLanding/data/ISO-CSC-controls-2022.json @@ -1,653 +1,653 @@ -[ - { - "Code": "A.5.1", - "Section": "Organizational controls", - "Control": "Policies for information security", - "Requirements": "A set of policies for information and cybersecurity shall be defined, approved by C-level, published and communicated to employees and relevant external parties.", - "Status": "Unknown" - }, - { - "Code": "A.5.2", - "Section": "Organizational controls", - "Control": "Information security roles and responsibilities", - "Requirements": "All information and cybersecurity roles and responsibilities shall be defined and allocated.", - "Status": "Unknown" - }, - { - "Code": "A.5.3", - "Section": "Organizational controls", - "Control": "Segregation of duties", - "Requirements": "Conflicting tasks and areas of responsibility should be separated to reduce opportunities to change or misuse the assets of the organization without permission or unintended.", - "Status": "Unknown" - }, - { - "Code": "A.5.4", - "Section": "Organizational controls", - "Control": "Management responsibilities", - "Requirements": "Management should mandate all employees and contractors to exercise information security in accordance with established policies and procedures set by the organization.", - "Status": "Unknown" - }, - { - "Code": "A.5.5", - "Section": "Organizational controls", - "Control": "Contact with authorities", - "Requirements": "It is necessary to maintain proper communications with the relevant authorities.", - "Status": "Unknown" - }, - { - "Code": "A.5.6", - "Section": "Organizational controls", - "Control": "Contact with special interest groups", - "Requirements": "Appropriate connections should be established with special interest organizations or other forums for professional security and professional associations.", - "Status": "Unknown" - }, - { - "Code": "A.5.7", - "Section": "Organizational controls", - "Control": "Threat intelligence", - "Requirements": "Collect and analyse information relating to information security threats and use that information take mitigation action.", - "Status": "Unknown" - }, - { - "Code": "A.5.8", - "Section": "Organizational controls", - "Control": "Information security in projectmanagement", - "Requirements": "Throughout project management, the confidentiality of information should be discussed irrespective of project type.", - "Status": "Unknown" - }, - { - "Code": "A.5.9", - "Section": "Organizational controls", - "Control": "Inventory of information and other associated assets", - "Requirements": "Assets related to information and information facilities of an organization should be identified and listed, inventory of these assets should also be maintained. And assets in the inventory should have their owners (Asset-owner).", - "Status": "Unknown" - }, - { - "Code": "A.5.10", - "Section": "Organizational controls", - "Control": "Acceptable use of information and other associated assets", - "Requirements": "Rules should be identified, documented, and implemented for the acceptable use of information and assets linked to information and information processing facilities. Handling of assets in accordance with the organization’s information classification scheme should be developed and implemented.", - "Status": "Unknown" - }, - { - "Code": "A.5.11", - "Section": "Organizational controls", - "Control": "Return of assets", - "Requirements": "Both workers and external stakeholders must return all the organizational assets in their possession upon termination of their job, contract or agreement.", - "Status": "Unknown" - }, - { - "Code": "A.5.12", - "Section": "Organizational controls", - "Control": "Classification of information", - "Requirements": "Information should be classification in the basis of their legal provisions, criticality, and vulnerability to unwanted release or alteration.", - "Status": "Unknown" - }, - { - "Code": "A.5.13", - "Section": "Organizational controls", - "Control": "Labelling of information", - "Requirements": "In accordance with the information classification scheme adopted by the organization, an adequate set of methods for labelling information should be established and implemented.", - "Status": "Unknown" - }, - { - "Code": "A.5.14", - "Section": "Organizational controls", - "Control": "Information transfer", - "Requirements": "In order to protect the transferees by using all types of communication facilities, official transfer policies, procedures and controls should be developed. Agreements sElectronic messaging information should be adequately protected.hould address secure transfers between the organization and outside parties of business information. ", - "Status": "Unknown" - }, - { - "Code": "A.5.15", - "Section": "Organizational controls", - "Control": "Access control", - "Requirements": "An access control policy with supporting business and information security requirements should be established, documented, and reviewed. Only network and network facilities which have expressly been approved for use will be made available to users.", - "Status": "Unknown" - }, - { - "Code": "A.5.16", - "Section": "Organizational controls", - "Control": "Identity management", - "Requirements": "Only network and network facilities which have expressly been approved for use will be made available to users.", - "Status": "Unknown" - }, - { - "Code": "A.5.17", - "Section": "Organizational controls", - "Control": "Authentication information", - "Requirements": "A structured management process should control the allocation of secret authentication information. Use of secret authentication information should be allowed for users to follow the organization’s practices. Password management systems should be cooperative to ensure the quality of the passwords.", - "Status": "Unknown" - }, - { - "Code": "A.5.18", - "Section": "Organizational controls", - "Control": "Access rights", - "Requirements": "A formal process for granting access to users should be put in place to grant or remove access privileges for all categories of users to all systems and services. Access rights of users should be reviewed regularly by asset owners. Access rights of all employees and external users to information and information processing facilities should be waived upon termination of jobs, contract or agreement, or changed upon adjustment.", - "Status": "Unknown" - }, - { - "Code": "A.5.19", - "Section": "Organizational controls", - "Control": "Information security in supplier relationships", - "Requirements": "The supplier should be agreed with and documented information security requirements related to the risk mitigation of access by suppliers to organizational assets.", - "Status": "Unknown" - }, - { - "Code": "A.5.20", - "Section": "Organizational controls", - "Control": "Addressing information security within supplier agreements", - "Requirements": "Any suppliers that view, process, store, communicate or provide IT infrastructure component information for the organization should be defined and agreed with all applicable information security requirements.", - "Status": "Unknown" - }, - { - "Code": "A.5.21", - "Section": "Organizational controls", - "Control": "Managing information security in the information \nand communication technology (ICT) supply-chain", - "Requirements": "Supplier agreements will contain provisions to mitigate information security risks associated with IT Services and the product supply chain.", - "Status": "Unknown" - }, - { - "Code": "A.5.22", - "Section": "Organizational controls", - "Control": "Monitoring, review and change management of supplier services", - "Requirements": "Organizations shall monitor, review and audit the provision of service to suppliers on a regular basis. Change in the provision of services by providers should be managed with the focus on the criticality of enterprise information, systems, processes, and reassessment of risks and should include maintaining and improving existing information security policies, procedures, and controls.", - "Status": "Unknown" - }, - { - "Code": "A.5.23", - "Section": "Organizational controls", - "Control": "Information security for use of cloud services", - "Requirements": "Set security requirements for cloud services in order to have better protection of your information in the cloud. This includes purchasing, using, managing, and terminating the use of cloud services.", - "Status": "Unknown" - }, - { - "Code": "A.5.24", - "Section": "Organizational controls", - "Control": "Information security incident management planning and preparation", - "Requirements": "In order to ensure a quick, efficient, and organized response to Information Security Incident Management roles and procedures should be defined.", - "Status": "Unknown" - }, - { - "Code": "A.5.25", - "Section": "Organizational controls", - "Control": "Assessment and decision on information security events", - "Requirements": "Information security events should be analyzed and determined whether they should be listed as incidents related to information security.", - "Status": "Unknown" - }, - { - "Code": "A.5.26", - "Section": "Organizational controls", - "Control": "Response to information security incidents", - "Requirements": "In the context of the documented procedures, information security incidents should be responded to.", - "Status": "Unknown" - }, - { - "Code": "A.5.27", - "Section": "Organizational controls", - "Control": "Learning from information security incidents", - "Requirements": "To minimize the risk or effect of potential accidents, the experience obtained from the study and mitigation of information security accidents should be used.", - "Status": "Unknown" - }, - { - "Code": "A.5.28", - "Section": "Organizational controls", - "Control": "Collection of evidence", - "Requirements": "The organization will define, obtain, procure and retain information as documentation and implement procedures.", - "Status": "Unknown" - }, - { - "Code": "A.5.29", - "Section": "Organizational controls", - "Control": "Information security during disruption", - "Requirements": "In adverse circumstances, e.g. during a crisis or a catastrophe, the company will determine the information securityIn order to ensure the necessary degree of consistency of information security to adverse circumstances, the company should define, document, execute, and maintain processes, procedures, and controls. standards and consistency of information security management. In order to ensure accurate and productive to adverse circumstances, the company must review on-going controls on safety information defined and enforced at regular intervals.", - "Status": "Unknown" - }, - { - "Code": "A.5.30", - "Section": "Organizational controls", - "Control": "ICT readiness for business continuity", - "Requirements": "Information and communication technology to be ready for potential disruptions so that required information and assets are available when needed. This includes readiness planning, implementation, maintenance, and testing.", - "Status": "Unknown" - }, - { - "Code": "A.5.31", - "Section": "Organizational controls", - "Control": "Legal, statutory, regulatory and contractual requirements", - "Requirements": "Each of information systems and organizations should specifically identify, document, and update all relevant statutory, regulatory, contractual requirements, and the approach of the organization towards compliance with these requirements. In accordance with all relevant agreements, legislation, and regulations, cryptographic controls must be used.", - "Status": "Unknown" - }, - { - "Code": "A.5.32", - "Section": "Organizational controls", - "Control": "Intellectual property rights", - "Requirements": "Proper procedures will be followed to ensure that the legal, regulatory, and contractual provisions relating to ownership of intellectual property and the use of proprietary software products are complied upon.", - "Status": "Unknown" - }, - { - "Code": "A.5.33", - "Section": "Organizational controls", - "Control": "Protection of records", - "Requirements": "In accordance with the provisions to legislative, regulatory, contractual, and business requirements, to protect from loss, destruction, falsification, and unauthorized access and unauthorized release.", - "Status": "Unknown" - }, - { - "Code": "A.5.34", - "Section": "Organizational controls", - "Control": "Privacy and protection of personal identifiable information (PII)", - "Requirements": "Privacy and protection of personal data should be guaranteed, as required, in applicable laws and regulations.", - "Status": "Unknown" - }, - { - "Code": "A.5.35", - "Section": "Organizational controls", - "Control": "Independent review of information security", - "Requirements": "Each of these information systems and organizations should specifically identify, document, and update all relevant statutory, regulatory, contractual requirements, and the approach of the organization towards compliance with these requirements.", - "Status": "Unknown" - }, - { - "Code": "A.5.36", - "Section": "Organizational controls", - "Control": "Compliance with policies, rules and standards for information security", - "Requirements": "Proper procedures will be followed to ensure that the legal, regulatory, and contractual provisions relating to ownership of intellectual property and the use of proprietary software products are complied upon. Information systems for compliance with the Information Security Policies and practices of an organization should be periodically reviewed.", - "Status": "Unknown" - }, - { - "Code": "A.5.37", - "Section": "Organizational controls", - "Control": "Documented operating procedures", - "Requirements": "Operating procedures should be documented and accessed by all users in need.", - "Status": "Unknown" - }, - { - "Code": "A.6.1", - "Section": "People controls", - "Control": "Screening", - "Requirements": "Background verification checks on all job applicants will be performed in compliance with applicable rules, legislation, and ethics and should be proportionate to business criteria, classification of the information to be obtained, and potential risks.", - "Status": "Unknown" - }, - { - "Code": "A.6.2", - "Section": "People controls", - "Control": "Terms and conditions of employment", - "Requirements": "Contract agreements with employees and contractors would set out their responsibility for information security, and hence the responsibility of the company.", - "Status": "Unknown" - }, - { - "Code": "A.6.3", - "Section": "People controls", - "Control": "Information security awareness, education and training", - "Requirements": "All company workers and, where necessary, contractors will receive adequate awareness education and training, as well as daily updates on organizational policies and procedures, as applicable to their job function.", - "Status": "Unknown" - }, - { - "Code": "A.6.4", - "Section": "People controls", - "Control": "Disciplinary process", - "Requirements": "A formal and informed administrative process will be in place to take action against employees who have committed an information security breach.", - "Status": "Unknown" - }, - { - "Code": "A.6.5", - "Section": "People controls", - "Control": "Responsibilities after termination or change of employment", - "Requirements": "Responsibility and information/cyber security requirements that continue to be valid following termination or change of employment must be defined, communicated to, and implemented by the employee or contractor.", - "Status": "Unknown" - }, - { - "Code": "A.6.6", - "Section": "People controls", - "Control": "Confidentiality or non-disclosure agreements", - "Requirements": "Information protection requirements of the organization for confidentiality or non-disclosure agreements should be identified, regularly reviewed, and documented.", - "Status": "Unknown" - }, - { - "Code": "A.6.7", - "Section": "People controls", - "Control": "Remote working", - "Requirements": "To guard the accessed, processed, or stored information at remote sites, a policy and supporting security measures should be implemented.", - "Status": "Unknown" - }, - { - "Code": "A.6.8", - "Section": "People controls", - "Control": "Information security event reporting", - "Requirements": "Information security incidents should be reported as quickly as possible through appropriate management channels. Any information security vulnerabilities found or suspected in systems or services in which employees and contractors are using the information systems and services of the organization should be recorded and documented.", - "Status": "Unknown" - }, - { - "Code": "A.7.1", - "Section": "Physical controls", - "Control": "Physical security perimeters", - "Requirements": "Security perimeters should be established in order to secure areas that contain either sensitive or confidential information and information processing facilities.", - "Status": "Unknown" - }, - { - "Code": "A.7.2", - "Section": "Physical controls", - "Control": "Physical entry", - "Requirements": "Appropriate access controls should protect places to ensure that only authorized employees are allowed access. It is important to track and, where possible, differentiate between access points such as the distribution and loading areas and other locations in order to avoid unauthorized access by unauthorized persons to the premises.", - "Status": "Unknown" - }, - { - "Code": "A.7.3", - "Section": "Physical controls", - "Control": "Securing offices, rooms and facilities", - "Requirements": "Physical security should be designed and implemented for the offices, rooms, and facilities.", - "Status": "Unknown" - }, - { - "Code": "A.7.4", - "Section": "Physical controls", - "Control": "Physical security monitoring", - "Requirements": "Monitor sensitive areas in order to enable only authorized people to access them. This might include your offices, production facilities, warehouses, and other premises.", - "Status": "Unknown" - }, - { - "Code": "A.7.5", - "Section": "Physical controls", - "Control": "Protecting against physical and environmental threats", - "Requirements": "Physical protection should be designed and applied against natural disasters, malicious attacks or accidents.", - "Status": "Unknown" - }, - { - "Code": "A.7.6", - "Section": "Physical controls", - "Control": "Working in secure areas", - "Requirements": "Procedures should be designed and implemented for working in safe areas.", - "Status": "Unknown" - }, - { - "Code": "A.7.7", - "Section": "Physical controls", - "Control": "Clear desk and clear screen", - "Requirements": "A clear desk policy should be adopted for papers and removable storage media and a clear screen policy should be applied to information processing facilities.", - "Status": "Unknown" - }, - { - "Code": "A.7.8", - "Section": "Physical controls", - "Control": "Equipment siting and protection", - "Requirements": "To mitigate the risk of environmental hazards, risks, and unauthorized access, the equipment should be sited and secured.", - "Status": "Unknown" - }, - { - "Code": "A.7.9", - "Section": "Physical controls", - "Control": "Security of assets off-premises", - "Requirements": "The security of off-site assets should be applied to the various risks of working outside the premises of the organization in mind.", - "Status": "Unknown" - }, - { - "Code": "A.7.10", - "Section": "Physical controls", - "Control": "Storage media", - "Requirements": "Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. When not required by specific protocols, media should be disposed of securely. Information media should be protected from unauthorized access, misuse or corruption during transportation. Without prior authorization, equipment, information, or software should not be taken off-site.", - "Status": "Unknown" - }, - { - "Code": "A.7.11", - "Section": "Physical controls", - "Control": "Supporting utilities", - "Requirements": "Equipment should be secured against power failures and other disruptions caused by the supporting infrastructure failures.", - "Status": "Unknown" - }, - { - "Code": "A.7.12", - "Section": "Physical controls", - "Control": "Cabling security", - "Requirements": "Cable for power and telecommunications that carry data or support services should be safeguarded against interception, interference, or damage.", - "Status": "Unknown" - }, - { - "Code": "A.7.13", - "Section": "Physical controls", - "Control": "Equipment maintenance", - "Requirements": "To ensure its continued availability and integrity, the equipment should be correctly maintained.", - "Status": "Unknown" - }, - { - "Code": "A.7.14", - "Section": "Physical controls", - "Control": "Secure disposal or re-use of equipment", - "Requirements": "To avoid the removal or overriding of sensitive data and software by the disposal or reuse of any device containing storage medium, all devices must be reviewed.", - "Status": "Unknown" - }, - { - "Code": "A.8.1", - "Section": "Technological controls", - "Control": "User end point devices", - "Requirements": "To manage the risks introduced by the use of mobile devices, a policy and supporting safety measures should be adopted. Unattended equipment should be adequately protected by users.", - "Status": "Unknown" - }, - { - "Code": "A.8.2", - "Section": "Technological controls", - "Control": "Privileged access rights", - "Requirements": "A structured authorizing procedure in accordance with the appropriate access management policies should monitor the allocation and usage of delegated access privileges.", - "Status": "Unknown" - }, - { - "Code": "A.8.3", - "Section": "Technological controls", - "Control": "Information access restriction", - "Requirements": "Access controls should be based on individual requirements for business applications and in compliance with a specified access control policy.", - "Status": "Unknown" - }, - { - "Code": "A.8.4", - "Section": "Technological controls", - "Control": "Access to source code", - "Requirements": "Access should be limited to the source code of the program.", - "Status": "Unknown" - }, - { - "Code": "A.8.5", - "Section": "Technological controls", - "Control": "Secure authentication", - "Requirements": "Access to systems and applications should be controlled by a secure log-on procedure when required by the Access Control Policy.", - "Status": "Unknown" - }, - { - "Code": "A.8.6", - "Section": "Technological controls", - "Control": "Capacity management", - "Requirements": "In order to ensure necessary system performance, the use of resources should be monitored, adapted, and projected based on future capacity requirements.", - "Status": "Unknown" - }, - { - "Code": "A.8.7", - "Section": "Technological controls", - "Control": "Protection against malware", - "Requirements": "In combination with appropriate user awareness, the detection, prevention, and recovery controls to protect against malware should be implemented.", - "Status": "Unknown" - }, - { - "Code": "A.8.8", - "Section": "Technological controls", - "Control": "Management of technical vulnerabilities", - "Requirements": "Information on technological vulnerabilities of information systems used should be obtained in a timely manner, the exposure of the organization to such vulnerabilities should be assessed and appropriate measures taken to address the risk involved. Information systems for compliance with the Information Security Policies and practices of an organization should be periodically reviewed.", - "Status": "Unknown" - }, - { - "Code": "A.8.9", - "Section": "Technological controls", - "Control": "Configuration management", - "Requirements": "Manage the whole cycle of security configuration for your technology to ensure a proper level of security and to avoid any unauthorized changes. This includes configuration definition, implementation, monitoring, and review.", - "Status": "Unknown" - }, - { - "Code": "A.8.10", - "Section": "Technological controls", - "Control": "Information deletion", - "Requirements": "Delete data when no longer required, in order to avoid leakage of sensitive information and to enable compliance with privacy and other requirements. This could include deletion in your IT systems, removable media, or cloud services.", - "Status": "Unknown" - }, - { - "Code": "A.8.11", - "Section": "Technological controls", - "Control": "Data masking", - "Requirements": "Use data masking together with access control in order to limit the exposure of sensitive information. This primarily means personal data, because they are heavily regulated through privacy regulations, but it could also include other categories of sensitive data.", - "Status": "Unknown" - }, - { - "Code": "A.8.12", - "Section": "Technological controls", - "Control": "Data leakage prevention", - "Requirements": "Apply various data leakage measures in order to avoid unauthorized disclosure of sensitive information, and if such incidents happen, to detect them in a timely manner. This includes information in IT systems, networks, or any devices.", - "Status": "Unknown" - }, - { - "Code": "A.8.13", - "Section": "Technological controls", - "Control": "Information backup", - "Requirements": "In accordance with the agreed backup policy, copies of records, program and device images shall be collected and regularly tested.", - "Status": "Unknown" - }, - { - "Code": "A.8.14", - "Section": "Technological controls", - "Control": "Redundancy of information processing facilities", - "Requirements": "How information processing facilities are implemented with redundancy sufficiency to meet availability requirements. Redundancy refers to implementing, typically, duplicate hardware to ensure availability of information processing systems.", - "Status": "Unknown" - }, - { - "Code": "A.8.15", - "Section": "Technological controls", - "Control": "Logging", - "Requirements": "Event logs should be produced, retained, and regularly reviewed to record user activities, exceptions, defects, and information security events. Logging and log information should be secure from intrusion and unauthorized access. The activity of the System Manager and System Operator is to be logged, and the logs kept safe and monitored closely.", - "Status": "Unknown" - }, - { - "Code": "A.8.16", - "Section": "Technological controls", - "Control": "Monitoring activities", - "Requirements": "Monitor systems in order to recognize unusual activities and, if needed, to activate the appropriate incident response. This includes monitoring of your IT systems, networks, and applications.", - "Status": "Unknown" - }, - { - "Code": "A.8.17", - "Section": "Technological controls", - "Control": "Clock synchronization", - "Requirements": "Clocks in all related information management systems should be integrated into a single reference time source for an organization or safety domain.", - "Status": "Unknown" - }, - { - "Code": "A.8.18", - "Section": "Technological controls", - "Control": "Use of privileged utility programs", - "Requirements": "The use of utility programs that could bypass system and application controls should be limited and tightly controlled.", - "Status": "Unknown" - }, - { - "Code": "A.8.19", - "Section": "Technological controls", - "Control": "Installation of software on operational systems", - "Requirements": "To control the installation of software on operating systems, procedures should be implemented. Users should set and implement rules governing software installation.", - "Status": "Unknown" - }, - { - "Code": "A.8.20", - "Section": "Technological controls", - "Control": "Networks security", - "Requirements": "To protect information in systems and applications, networks should be managed and monitored.", - "Status": "Unknown" - }, - { - "Code": "A.8.21", - "Section": "Technological controls", - "Control": "Security of network services", - "Requirements": "Security protocols, quality of service, and management criteria for all network services, whether in-house or outsourced, should be defined and included in-network services agreements.", - "Status": "Unknown" - }, - { - "Code": "A.8.22", - "Section": "Technological controls", - "Control": "Segregation of networks", - "Requirements": "Network segregation should be established for information services, users, and information systems.", - "Status": "Unknown" - }, - { - "Code": "A.8.23", - "Section": "Technological controls", - "Control": "Web filtering", - "Requirements": "Manage which websites users are accessing, in order to protect your IT systems. This way, you can prevent your systems from being compromised by malicious code, and also prevent users from using illegal materials from the Internet.", - "Status": "Unknown" - }, - { - "Code": "A.8.24", - "Section": "Technological controls", - "Control": "Use of cryptography", - "Requirements": "A policy on the use of cryptographic controls for protection of information shall be developed and implemented. A policy on the use, security, and lifetime of cryptographic keys should be created and enforced over their entire life cycle.", - "Status": "Unknown" - }, - { - "Code": "A.8.25", - "Section": "Technological controls", - "Control": "Secure development life cycle", - "Requirements": "Changes to processes can be managed through the implementation of structured change control procedures within the software lifecycle.", - "Status": "Unknown" - }, - { - "Code": "A.8.26", - "Section": "Technological controls", - "Control": "Application security requirements", - "Requirements": "Application services which pass through public networks should be protected against fraudulent activities, contract disputes, unauthorized disclosure, and modification. In order to avoid incomplete transmission, misrouting, unauthorized messaging modification, unauthorized dissemination, unauthorized message replication, or replay, information concerning application service transactions should be covered.", - "Status": "Unknown" - }, - { - "Code": "A.8.27", - "Section": "Technological controls", - "Control": "Secure system architecture and engineering principles", - "Requirements": "In the implementation of any information system implementation project, standards for secure system engineered must be established, documented, maintained, and implemented.", - "Status": "Unknown" - }, - { - "Code": "A.8.28", - "Section": "Technological controls", - "Control": "Secure coding", - "Requirements": "Establish secure coding principles and apply them to your software development in order to reduce security vulnerabilities in the software. This could include activities before, during, and after the coding.", - "Status": "Unknown" - }, - { - "Code": "A.8.29", - "Section": "Technological controls", - "Control": "Security testing in development and acceptance", - "Requirements": "During development, security functionality test should be conducted. New information systems, enhancements, and updated versions should be equipped with acceptance testing services and related requirements.", - "Status": "Unknown" - }, - { - "Code": "A.8.30", - "Section": "Technological controls", - "Control": "Outsourced development", - "Requirements": "The organization must monitor activity for the development of the outsourced system.", - "Status": "Unknown" - }, - { - "Code": "A.8.31", - "Section": "Technological controls", - "Control": "Separation of development, test and production environments", - "Requirements": "It is important to define and enforce the degree of separation between organizational, testing and development environments needed to avoid operational problems. Organizations should create secure development environments and integration efforts for the entire life cycle of system development, and should be adequately protected.", - "Status": "Unknown" - }, - { - "Code": "A.8.32", - "Section": "Technological controls", - "Control": "Change management", - "Requirements": "Changes in the organization, organizational procedures, information management facilities, and information security systems should be controlled. Changes to processes can be managed through the implementation of structured change control procedures within the software lifecycle. In changing operating platforms, critical applications of business should be revised and tested to ensure no adverse impacts on business or security. Software package modifications should be discouraged, restricted to the modifications necessary, and all changes controlled strictly.", - "Status": "Unknown" - }, - { - "Code": "A.8.33", - "Section": "Technological controls", - "Control": "Test information", - "Requirements": "Careful collection, security, and review of test data should be performed.", - "Status": "Unknown" - }, - { - "Code": "A.8.34", - "Section": "Technological controls", - "Control": "Protection of information systems during audit testing", - "Requirements": "The audit criteria and activities related to operating system verification should be carefully prepared and decided in order to reduce business process disturbance.", - "Status": "Unknown" - } -] \ No newline at end of file +[ + { + "Code": "A.5.1", + "Section": "Organizational controls", + "Control": "Policies for information security", + "Requirements": "A set of policies for information and cybersecurity shall be defined, approved by C-level, published and communicated to employees and relevant external parties.", + "Status": "Unknown" + }, + { + "Code": "A.5.2", + "Section": "Organizational controls", + "Control": "Information security roles and responsibilities", + "Requirements": "All information and cybersecurity roles and responsibilities shall be defined and allocated.", + "Status": "Unknown" + }, + { + "Code": "A.5.3", + "Section": "Organizational controls", + "Control": "Segregation of duties", + "Requirements": "Conflicting tasks and areas of responsibility should be separated to reduce opportunities to change or misuse the assets of the organization without permission or unintended.", + "Status": "Unknown" + }, + { + "Code": "A.5.4", + "Section": "Organizational controls", + "Control": "Management responsibilities", + "Requirements": "Management should mandate all employees and contractors to exercise information security in accordance with established policies and procedures set by the organization.", + "Status": "Unknown" + }, + { + "Code": "A.5.5", + "Section": "Organizational controls", + "Control": "Contact with authorities", + "Requirements": "It is necessary to maintain proper communications with the relevant authorities.", + "Status": "Unknown" + }, + { + "Code": "A.5.6", + "Section": "Organizational controls", + "Control": "Contact with special interest groups", + "Requirements": "Appropriate connections should be established with special interest organizations or other forums for professional security and professional associations.", + "Status": "Unknown" + }, + { + "Code": "A.5.7", + "Section": "Organizational controls", + "Control": "Threat intelligence", + "Requirements": "Collect and analyse information relating to information security threats and use that information take mitigation action.", + "Status": "Unknown" + }, + { + "Code": "A.5.8", + "Section": "Organizational controls", + "Control": "Information security in projectmanagement", + "Requirements": "Throughout project management, the confidentiality of information should be discussed irrespective of project type.", + "Status": "Unknown" + }, + { + "Code": "A.5.9", + "Section": "Organizational controls", + "Control": "Inventory of information and other associated assets", + "Requirements": "Assets related to information and information facilities of an organization should be identified and listed, inventory of these assets should also be maintained. And assets in the inventory should have their owners (Asset-owner).", + "Status": "Unknown" + }, + { + "Code": "A.5.10", + "Section": "Organizational controls", + "Control": "Acceptable use of information and other associated assets", + "Requirements": "Rules should be identified, documented, and implemented for the acceptable use of information and assets linked to information and information processing facilities. Handling of assets in accordance with the organization’s information classification scheme should be developed and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.5.11", + "Section": "Organizational controls", + "Control": "Return of assets", + "Requirements": "Both workers and external stakeholders must return all the organizational assets in their possession upon termination of their job, contract or agreement.", + "Status": "Unknown" + }, + { + "Code": "A.5.12", + "Section": "Organizational controls", + "Control": "Classification of information", + "Requirements": "Information should be classification in the basis of their legal provisions, criticality, and vulnerability to unwanted release or alteration.", + "Status": "Unknown" + }, + { + "Code": "A.5.13", + "Section": "Organizational controls", + "Control": "Labelling of information", + "Requirements": "In accordance with the information classification scheme adopted by the organization, an adequate set of methods for labelling information should be established and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.5.14", + "Section": "Organizational controls", + "Control": "Information transfer", + "Requirements": "In order to protect the transferees by using all types of communication facilities, official transfer policies, procedures and controls should be developed. Agreements sElectronic messaging information should be adequately protected.hould address secure transfers between the organization and outside parties of business information. ", + "Status": "Unknown" + }, + { + "Code": "A.5.15", + "Section": "Organizational controls", + "Control": "Access control", + "Requirements": "An access control policy with supporting business and information security requirements should be established, documented, and reviewed. Only network and network facilities which have expressly been approved for use will be made available to users.", + "Status": "Unknown" + }, + { + "Code": "A.5.16", + "Section": "Organizational controls", + "Control": "Identity management", + "Requirements": "Only network and network facilities which have expressly been approved for use will be made available to users.", + "Status": "Unknown" + }, + { + "Code": "A.5.17", + "Section": "Organizational controls", + "Control": "Authentication information", + "Requirements": "A structured management process should control the allocation of secret authentication information. Use of secret authentication information should be allowed for users to follow the organization’s practices. Password management systems should be cooperative to ensure the quality of the passwords.", + "Status": "Unknown" + }, + { + "Code": "A.5.18", + "Section": "Organizational controls", + "Control": "Access rights", + "Requirements": "A formal process for granting access to users should be put in place to grant or remove access privileges for all categories of users to all systems and services. Access rights of users should be reviewed regularly by asset owners. Access rights of all employees and external users to information and information processing facilities should be waived upon termination of jobs, contract or agreement, or changed upon adjustment.", + "Status": "Unknown" + }, + { + "Code": "A.5.19", + "Section": "Organizational controls", + "Control": "Information security in supplier relationships", + "Requirements": "The supplier should be agreed with and documented information security requirements related to the risk mitigation of access by suppliers to organizational assets.", + "Status": "Unknown" + }, + { + "Code": "A.5.20", + "Section": "Organizational controls", + "Control": "Addressing information security within supplier agreements", + "Requirements": "Any suppliers that view, process, store, communicate or provide IT infrastructure component information for the organization should be defined and agreed with all applicable information security requirements.", + "Status": "Unknown" + }, + { + "Code": "A.5.21", + "Section": "Organizational controls", + "Control": "Managing information security in the information \nand communication technology (ICT) supply-chain", + "Requirements": "Supplier agreements will contain provisions to mitigate information security risks associated with IT Services and the product supply chain.", + "Status": "Unknown" + }, + { + "Code": "A.5.22", + "Section": "Organizational controls", + "Control": "Monitoring, review and change management of supplier services", + "Requirements": "Organizations shall monitor, review and audit the provision of service to suppliers on a regular basis. Change in the provision of services by providers should be managed with the focus on the criticality of enterprise information, systems, processes, and reassessment of risks and should include maintaining and improving existing information security policies, procedures, and controls.", + "Status": "Unknown" + }, + { + "Code": "A.5.23", + "Section": "Organizational controls", + "Control": "Information security for use of cloud services", + "Requirements": "Set security requirements for cloud services in order to have better protection of your information in the cloud. This includes purchasing, using, managing, and terminating the use of cloud services.", + "Status": "Unknown" + }, + { + "Code": "A.5.24", + "Section": "Organizational controls", + "Control": "Information security incident management planning and preparation", + "Requirements": "In order to ensure a quick, efficient, and organized response to Information Security Incident Management roles and procedures should be defined.", + "Status": "Unknown" + }, + { + "Code": "A.5.25", + "Section": "Organizational controls", + "Control": "Assessment and decision on information security events", + "Requirements": "Information security events should be analyzed and determined whether they should be listed as incidents related to information security.", + "Status": "Unknown" + }, + { + "Code": "A.5.26", + "Section": "Organizational controls", + "Control": "Response to information security incidents", + "Requirements": "In the context of the documented procedures, information security incidents should be responded to.", + "Status": "Unknown" + }, + { + "Code": "A.5.27", + "Section": "Organizational controls", + "Control": "Learning from information security incidents", + "Requirements": "To minimize the risk or effect of potential accidents, the experience obtained from the study and mitigation of information security accidents should be used.", + "Status": "Unknown" + }, + { + "Code": "A.5.28", + "Section": "Organizational controls", + "Control": "Collection of evidence", + "Requirements": "The organization will define, obtain, procure and retain information as documentation and implement procedures.", + "Status": "Unknown" + }, + { + "Code": "A.5.29", + "Section": "Organizational controls", + "Control": "Information security during disruption", + "Requirements": "In adverse circumstances, e.g. during a crisis or a catastrophe, the company will determine the information securityIn order to ensure the necessary degree of consistency of information security to adverse circumstances, the company should define, document, execute, and maintain processes, procedures, and controls. standards and consistency of information security management. In order to ensure accurate and productive to adverse circumstances, the company must review on-going controls on safety information defined and enforced at regular intervals.", + "Status": "Unknown" + }, + { + "Code": "A.5.30", + "Section": "Organizational controls", + "Control": "ICT readiness for business continuity", + "Requirements": "Information and communication technology to be ready for potential disruptions so that required information and assets are available when needed. This includes readiness planning, implementation, maintenance, and testing.", + "Status": "Unknown" + }, + { + "Code": "A.5.31", + "Section": "Organizational controls", + "Control": "Legal, statutory, regulatory and contractual requirements", + "Requirements": "Each of information systems and organizations should specifically identify, document, and update all relevant statutory, regulatory, contractual requirements, and the approach of the organization towards compliance with these requirements. In accordance with all relevant agreements, legislation, and regulations, cryptographic controls must be used.", + "Status": "Unknown" + }, + { + "Code": "A.5.32", + "Section": "Organizational controls", + "Control": "Intellectual property rights", + "Requirements": "Proper procedures will be followed to ensure that the legal, regulatory, and contractual provisions relating to ownership of intellectual property and the use of proprietary software products are complied upon.", + "Status": "Unknown" + }, + { + "Code": "A.5.33", + "Section": "Organizational controls", + "Control": "Protection of records", + "Requirements": "In accordance with the provisions to legislative, regulatory, contractual, and business requirements, to protect from loss, destruction, falsification, and unauthorized access and unauthorized release.", + "Status": "Unknown" + }, + { + "Code": "A.5.34", + "Section": "Organizational controls", + "Control": "Privacy and protection of personal identifiable information (PII)", + "Requirements": "Privacy and protection of personal data should be guaranteed, as required, in applicable laws and regulations.", + "Status": "Unknown" + }, + { + "Code": "A.5.35", + "Section": "Organizational controls", + "Control": "Independent review of information security", + "Requirements": "Each of these information systems and organizations should specifically identify, document, and update all relevant statutory, regulatory, contractual requirements, and the approach of the organization towards compliance with these requirements.", + "Status": "Unknown" + }, + { + "Code": "A.5.36", + "Section": "Organizational controls", + "Control": "Compliance with policies, rules and standards for information security", + "Requirements": "Proper procedures will be followed to ensure that the legal, regulatory, and contractual provisions relating to ownership of intellectual property and the use of proprietary software products are complied upon. Information systems for compliance with the Information Security Policies and practices of an organization should be periodically reviewed.", + "Status": "Unknown" + }, + { + "Code": "A.5.37", + "Section": "Organizational controls", + "Control": "Documented operating procedures", + "Requirements": "Operating procedures should be documented and accessed by all users in need.", + "Status": "Unknown" + }, + { + "Code": "A.6.1", + "Section": "People controls", + "Control": "Screening", + "Requirements": "Background verification checks on all job applicants will be performed in compliance with applicable rules, legislation, and ethics and should be proportionate to business criteria, classification of the information to be obtained, and potential risks.", + "Status": "Unknown" + }, + { + "Code": "A.6.2", + "Section": "People controls", + "Control": "Terms and conditions of employment", + "Requirements": "Contract agreements with employees and contractors would set out their responsibility for information security, and hence the responsibility of the company.", + "Status": "Unknown" + }, + { + "Code": "A.6.3", + "Section": "People controls", + "Control": "Information security awareness, education and training", + "Requirements": "All company workers and, where necessary, contractors will receive adequate awareness education and training, as well as daily updates on organizational policies and procedures, as applicable to their job function.", + "Status": "Unknown" + }, + { + "Code": "A.6.4", + "Section": "People controls", + "Control": "Disciplinary process", + "Requirements": "A formal and informed administrative process will be in place to take action against employees who have committed an information security breach.", + "Status": "Unknown" + }, + { + "Code": "A.6.5", + "Section": "People controls", + "Control": "Responsibilities after termination or change of employment", + "Requirements": "Responsibility and information/cyber security requirements that continue to be valid following termination or change of employment must be defined, communicated to, and implemented by the employee or contractor.", + "Status": "Unknown" + }, + { + "Code": "A.6.6", + "Section": "People controls", + "Control": "Confidentiality or non-disclosure agreements", + "Requirements": "Information protection requirements of the organization for confidentiality or non-disclosure agreements should be identified, regularly reviewed, and documented.", + "Status": "Unknown" + }, + { + "Code": "A.6.7", + "Section": "People controls", + "Control": "Remote working", + "Requirements": "To guard the accessed, processed, or stored information at remote sites, a policy and supporting security measures should be implemented.", + "Status": "Unknown" + }, + { + "Code": "A.6.8", + "Section": "People controls", + "Control": "Information security event reporting", + "Requirements": "Information security incidents should be reported as quickly as possible through appropriate management channels. Any information security vulnerabilities found or suspected in systems or services in which employees and contractors are using the information systems and services of the organization should be recorded and documented.", + "Status": "Unknown" + }, + { + "Code": "A.7.1", + "Section": "Physical controls", + "Control": "Physical security perimeters", + "Requirements": "Security perimeters should be established in order to secure areas that contain either sensitive or confidential information and information processing facilities.", + "Status": "Unknown" + }, + { + "Code": "A.7.2", + "Section": "Physical controls", + "Control": "Physical entry", + "Requirements": "Appropriate access controls should protect places to ensure that only authorized employees are allowed access. It is important to track and, where possible, differentiate between access points such as the distribution and loading areas and other locations in order to avoid unauthorized access by unauthorized persons to the premises.", + "Status": "Unknown" + }, + { + "Code": "A.7.3", + "Section": "Physical controls", + "Control": "Securing offices, rooms and facilities", + "Requirements": "Physical security should be designed and implemented for the offices, rooms, and facilities.", + "Status": "Unknown" + }, + { + "Code": "A.7.4", + "Section": "Physical controls", + "Control": "Physical security monitoring", + "Requirements": "Monitor sensitive areas in order to enable only authorized people to access them. This might include your offices, production facilities, warehouses, and other premises.", + "Status": "Unknown" + }, + { + "Code": "A.7.5", + "Section": "Physical controls", + "Control": "Protecting against physical and environmental threats", + "Requirements": "Physical protection should be designed and applied against natural disasters, malicious attacks or accidents.", + "Status": "Unknown" + }, + { + "Code": "A.7.6", + "Section": "Physical controls", + "Control": "Working in secure areas", + "Requirements": "Procedures should be designed and implemented for working in safe areas.", + "Status": "Unknown" + }, + { + "Code": "A.7.7", + "Section": "Physical controls", + "Control": "Clear desk and clear screen", + "Requirements": "A clear desk policy should be adopted for papers and removable storage media and a clear screen policy should be applied to information processing facilities.", + "Status": "Unknown" + }, + { + "Code": "A.7.8", + "Section": "Physical controls", + "Control": "Equipment siting and protection", + "Requirements": "To mitigate the risk of environmental hazards, risks, and unauthorized access, the equipment should be sited and secured.", + "Status": "Unknown" + }, + { + "Code": "A.7.9", + "Section": "Physical controls", + "Control": "Security of assets off-premises", + "Requirements": "The security of off-site assets should be applied to the various risks of working outside the premises of the organization in mind.", + "Status": "Unknown" + }, + { + "Code": "A.7.10", + "Section": "Physical controls", + "Control": "Storage media", + "Requirements": "Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. When not required by specific protocols, media should be disposed of securely. Information media should be protected from unauthorized access, misuse or corruption during transportation. Without prior authorization, equipment, information, or software should not be taken off-site.", + "Status": "Unknown" + }, + { + "Code": "A.7.11", + "Section": "Physical controls", + "Control": "Supporting utilities", + "Requirements": "Equipment should be secured against power failures and other disruptions caused by the supporting infrastructure failures.", + "Status": "Unknown" + }, + { + "Code": "A.7.12", + "Section": "Physical controls", + "Control": "Cabling security", + "Requirements": "Cable for power and telecommunications that carry data or support services should be safeguarded against interception, interference, or damage.", + "Status": "Unknown" + }, + { + "Code": "A.7.13", + "Section": "Physical controls", + "Control": "Equipment maintenance", + "Requirements": "To ensure its continued availability and integrity, the equipment should be correctly maintained.", + "Status": "Unknown" + }, + { + "Code": "A.7.14", + "Section": "Physical controls", + "Control": "Secure disposal or re-use of equipment", + "Requirements": "To avoid the removal or overriding of sensitive data and software by the disposal or reuse of any device containing storage medium, all devices must be reviewed.", + "Status": "Unknown" + }, + { + "Code": "A.8.1", + "Section": "Technological controls", + "Control": "User end point devices", + "Requirements": "To manage the risks introduced by the use of mobile devices, a policy and supporting safety measures should be adopted. Unattended equipment should be adequately protected by users.", + "Status": "Unknown" + }, + { + "Code": "A.8.2", + "Section": "Technological controls", + "Control": "Privileged access rights", + "Requirements": "A structured authorizing procedure in accordance with the appropriate access management policies should monitor the allocation and usage of delegated access privileges.", + "Status": "Unknown" + }, + { + "Code": "A.8.3", + "Section": "Technological controls", + "Control": "Information access restriction", + "Requirements": "Access controls should be based on individual requirements for business applications and in compliance with a specified access control policy.", + "Status": "Unknown" + }, + { + "Code": "A.8.4", + "Section": "Technological controls", + "Control": "Access to source code", + "Requirements": "Access should be limited to the source code of the program.", + "Status": "Unknown" + }, + { + "Code": "A.8.5", + "Section": "Technological controls", + "Control": "Secure authentication", + "Requirements": "Access to systems and applications should be controlled by a secure log-on procedure when required by the Access Control Policy.", + "Status": "Unknown" + }, + { + "Code": "A.8.6", + "Section": "Technological controls", + "Control": "Capacity management", + "Requirements": "In order to ensure necessary system performance, the use of resources should be monitored, adapted, and projected based on future capacity requirements.", + "Status": "Unknown" + }, + { + "Code": "A.8.7", + "Section": "Technological controls", + "Control": "Protection against malware", + "Requirements": "In combination with appropriate user awareness, the detection, prevention, and recovery controls to protect against malware should be implemented.", + "Status": "Unknown" + }, + { + "Code": "A.8.8", + "Section": "Technological controls", + "Control": "Management of technical vulnerabilities", + "Requirements": "Information on technological vulnerabilities of information systems used should be obtained in a timely manner, the exposure of the organization to such vulnerabilities should be assessed and appropriate measures taken to address the risk involved. Information systems for compliance with the Information Security Policies and practices of an organization should be periodically reviewed.", + "Status": "Unknown" + }, + { + "Code": "A.8.9", + "Section": "Technological controls", + "Control": "Configuration management", + "Requirements": "Manage the whole cycle of security configuration for your technology to ensure a proper level of security and to avoid any unauthorized changes. This includes configuration definition, implementation, monitoring, and review.", + "Status": "Unknown" + }, + { + "Code": "A.8.10", + "Section": "Technological controls", + "Control": "Information deletion", + "Requirements": "Delete data when no longer required, in order to avoid leakage of sensitive information and to enable compliance with privacy and other requirements. This could include deletion in your IT systems, removable media, or cloud services.", + "Status": "Unknown" + }, + { + "Code": "A.8.11", + "Section": "Technological controls", + "Control": "Data masking", + "Requirements": "Use data masking together with access control in order to limit the exposure of sensitive information. This primarily means personal data, because they are heavily regulated through privacy regulations, but it could also include other categories of sensitive data.", + "Status": "Unknown" + }, + { + "Code": "A.8.12", + "Section": "Technological controls", + "Control": "Data leakage prevention", + "Requirements": "Apply various data leakage measures in order to avoid unauthorized disclosure of sensitive information, and if such incidents happen, to detect them in a timely manner. This includes information in IT systems, networks, or any devices.", + "Status": "Unknown" + }, + { + "Code": "A.8.13", + "Section": "Technological controls", + "Control": "Information backup", + "Requirements": "In accordance with the agreed backup policy, copies of records, program and device images shall be collected and regularly tested.", + "Status": "Unknown" + }, + { + "Code": "A.8.14", + "Section": "Technological controls", + "Control": "Redundancy of information processing facilities", + "Requirements": "How information processing facilities are implemented with redundancy sufficiency to meet availability requirements. Redundancy refers to implementing, typically, duplicate hardware to ensure availability of information processing systems.", + "Status": "Unknown" + }, + { + "Code": "A.8.15", + "Section": "Technological controls", + "Control": "Logging", + "Requirements": "Event logs should be produced, retained, and regularly reviewed to record user activities, exceptions, defects, and information security events. Logging and log information should be secure from intrusion and unauthorized access. The activity of the System Manager and System Operator is to be logged, and the logs kept safe and monitored closely.", + "Status": "Unknown" + }, + { + "Code": "A.8.16", + "Section": "Technological controls", + "Control": "Monitoring activities", + "Requirements": "Monitor systems in order to recognize unusual activities and, if needed, to activate the appropriate incident response. This includes monitoring of your IT systems, networks, and applications.", + "Status": "Unknown" + }, + { + "Code": "A.8.17", + "Section": "Technological controls", + "Control": "Clock synchronization", + "Requirements": "Clocks in all related information management systems should be integrated into a single reference time source for an organization or safety domain.", + "Status": "Unknown" + }, + { + "Code": "A.8.18", + "Section": "Technological controls", + "Control": "Use of privileged utility programs", + "Requirements": "The use of utility programs that could bypass system and application controls should be limited and tightly controlled.", + "Status": "Unknown" + }, + { + "Code": "A.8.19", + "Section": "Technological controls", + "Control": "Installation of software on operational systems", + "Requirements": "To control the installation of software on operating systems, procedures should be implemented. Users should set and implement rules governing software installation.", + "Status": "Unknown" + }, + { + "Code": "A.8.20", + "Section": "Technological controls", + "Control": "Networks security", + "Requirements": "To protect information in systems and applications, networks should be managed and monitored.", + "Status": "Unknown" + }, + { + "Code": "A.8.21", + "Section": "Technological controls", + "Control": "Security of network services", + "Requirements": "Security protocols, quality of service, and management criteria for all network services, whether in-house or outsourced, should be defined and included in-network services agreements.", + "Status": "Unknown" + }, + { + "Code": "A.8.22", + "Section": "Technological controls", + "Control": "Segregation of networks", + "Requirements": "Network segregation should be established for information services, users, and information systems.", + "Status": "Unknown" + }, + { + "Code": "A.8.23", + "Section": "Technological controls", + "Control": "Web filtering", + "Requirements": "Manage which websites users are accessing, in order to protect your IT systems. This way, you can prevent your systems from being compromised by malicious code, and also prevent users from using illegal materials from the Internet.", + "Status": "Unknown" + }, + { + "Code": "A.8.24", + "Section": "Technological controls", + "Control": "Use of cryptography", + "Requirements": "A policy on the use of cryptographic controls for protection of information shall be developed and implemented. A policy on the use, security, and lifetime of cryptographic keys should be created and enforced over their entire life cycle.", + "Status": "Unknown" + }, + { + "Code": "A.8.25", + "Section": "Technological controls", + "Control": "Secure development life cycle", + "Requirements": "Changes to processes can be managed through the implementation of structured change control procedures within the software lifecycle.", + "Status": "Unknown" + }, + { + "Code": "A.8.26", + "Section": "Technological controls", + "Control": "Application security requirements", + "Requirements": "Application services which pass through public networks should be protected against fraudulent activities, contract disputes, unauthorized disclosure, and modification. In order to avoid incomplete transmission, misrouting, unauthorized messaging modification, unauthorized dissemination, unauthorized message replication, or replay, information concerning application service transactions should be covered.", + "Status": "Unknown" + }, + { + "Code": "A.8.27", + "Section": "Technological controls", + "Control": "Secure system architecture and engineering principles", + "Requirements": "In the implementation of any information system implementation project, standards for secure system engineered must be established, documented, maintained, and implemented.", + "Status": "Unknown" + }, + { + "Code": "A.8.28", + "Section": "Technological controls", + "Control": "Secure coding", + "Requirements": "Establish secure coding principles and apply them to your software development in order to reduce security vulnerabilities in the software. This could include activities before, during, and after the coding.", + "Status": "Unknown" + }, + { + "Code": "A.8.29", + "Section": "Technological controls", + "Control": "Security testing in development and acceptance", + "Requirements": "During development, security functionality test should be conducted. New information systems, enhancements, and updated versions should be equipped with acceptance testing services and related requirements.", + "Status": "Unknown" + }, + { + "Code": "A.8.30", + "Section": "Technological controls", + "Control": "Outsourced development", + "Requirements": "The organization must monitor activity for the development of the outsourced system.", + "Status": "Unknown" + }, + { + "Code": "A.8.31", + "Section": "Technological controls", + "Control": "Separation of development, test and production environments", + "Requirements": "It is important to define and enforce the degree of separation between organizational, testing and development environments needed to avoid operational problems. Organizations should create secure development environments and integration efforts for the entire life cycle of system development, and should be adequately protected.", + "Status": "Unknown" + }, + { + "Code": "A.8.32", + "Section": "Technological controls", + "Control": "Change management", + "Requirements": "Changes in the organization, organizational procedures, information management facilities, and information security systems should be controlled. Changes to processes can be managed through the implementation of structured change control procedures within the software lifecycle. In changing operating platforms, critical applications of business should be revised and tested to ensure no adverse impacts on business or security. Software package modifications should be discouraged, restricted to the modifications necessary, and all changes controlled strictly.", + "Status": "Unknown" + }, + { + "Code": "A.8.33", + "Section": "Technological controls", + "Control": "Test information", + "Requirements": "Careful collection, security, and review of test data should be performed.", + "Status": "Unknown" + }, + { + "Code": "A.8.34", + "Section": "Technological controls", + "Control": "Protection of information systems during audit testing", + "Requirements": "The audit criteria and activities related to operating system verification should be carefully prepared and decided in order to reduce business process disturbance.", + "Status": "Unknown" + } +] diff --git a/components/defaultLanding/data/MVPS-controls.json b/components/defaultLanding/data/MVPS-controls.json index 4034cafa..bc5f7349 100644 --- a/components/defaultLanding/data/MVPS-controls.json +++ b/components/defaultLanding/data/MVPS-controls.json @@ -1,303 +1,303 @@ { -"MVPS-Controls":[ - { - "Code": "MVSP-1.1", - "Section": "Business controls", - "Control": "Vulnerability reports", - "Requirements": "Publish the point of contact for security reports on your website\nRespond to security reports within a reasonable time frame", - "Status": "Unknown" - }, - { - "Code": "MVSP-1.2", - "Section": "Business controls", - "Control": "Customer testing", - "Requirements": "On request, enable your customers or their delegates to test the security of your application\nTest on a non-production environment if it closely resembles the production environment in functionality\nEnsure non-production environments do not contain production data", - "Status": "Defined" - }, - { - "Code": "MVSP-1.3", - "Section": "Business controls", - "Control": "Self-assessment", - "Requirements": "Perform annual (at a minimum) security self-assessments using this document", - "Status": "Nonexistent" - }, - { - "Code": "MVSP-1.4", - "Section": "Business controls", - "Control": "External testing", - "Requirements": "Contract a security vendor to perform annual, comprehensive penetration tests on your systems", - "Status": "Unknown" - }, - { - "Code": "MVSP-1.5", - "Section": "Business controls", - "Control": "Training", - "Requirements": "Implement role-specific security training for your personnel that is relevant to their business function", - "Status": "Not applicable" - }, - { - "Code": "MVSP-1.6", - "Section": "Business controls", - "Control": "Compliance", - "Requirements": "Comply with all industry security standards relevant to your business such as PCI DSS, HITRUST, ISO27001, and SSAE 18\nComply with local laws and regulations in jurisdictions applicable to your company and your customers, such as GDPR, Binding Corporate Rules, and Standard Contractual Clauses\nEnsure data localization requirements are implemented in line with local regulations and contractual obligations", - "Status": "Defined" - }, - { - "Code": "MVSP-1.7", - "Section": "Business controls", - "Control": "Incident handling", - "Requirements": "Notify your customers about a breach without undue delay, no later than 72 hours upon discovery\nInclude the following information in the notification: \n- Relevant point of contact\n- Preliminary technical analysis of the breach\n- Remediation plan with reasonable timelines", - "Status": "Unknown" - }, - { - "Code": "MVSP-1.8", - "Section": "Business controls", - "Control": "Data handling", - "Requirements": "Ensure media sanitization processes based on NIST SP 800-88 or equivalent are implemented", - "Status": "Managed" - }, - { - "Code": "MVSP-2.1", - "Section": "Application design controls", - "Control": "Single Sign-On", - "Requirements": "Implement single sign-on using modern and industry standard protocols", - "Status": "Unknown" - }, - { - "Code": "MVSP-2.2", - "Section": "Application design controls", - "Control": "HTTPS-only", - "Requirements": "Redirect traffic from HTTP protocol (port 80) to HTTPS (port 443)\nNote: This does not apply to secure protocols designed to run on top of unencrypted connections, such as OCSP\nScan and address issues using freely available modern TLS scanning tools\nInclude the Strict-Transport-Security header on all pages with the includeSubdomains directive", - "Status": "Unknown" - }, - { - "Code": "MVSP-2.3", - "Section": "Application design controls", - "Control": "Security Headers", - "Requirements": "Apply appropriate security headers to reduce the application attack surface and limit post exploitation: \n- Set a minimally permissive Content Security Policy \n- Limit the ability to iframe sensitive application content where appropriate", - "Status": "Optimized" - }, - { - "Code": "MVSP-2.4", - "Section": "Application design controls", - "Control": "Password policy", - "Requirements": "If password authentication is used in addition to single sign-on: \n- Do not limit the permitted characters that can be used \n- Do not limit the length of the password to anything below 64 characters \n- Do not use secret questions as a sole password reset requirement \n- Require email verification of a password change request \n- Require the current password in addition to the new password during password change \n- Store passwords in a hashed and salted format using a memory-hard or CPU-hard one-way hash function \n- Enforce appropriate account lockout and brute-force protection on account access", - "Status": "Initial" - }, - { - "Code": "MVSP-2.5", - "Section": "Application design controls", - "Control": "Security libraries", - "Requirements": "Use frameworks, template languages, or libraries that systemically address implementation weaknesses by escaping the outputs and sanitizing the inputs\nExample: ORM for database access, UI framework for rendering DOM", - "Status": "Limited" - }, - { - "Code": "MVSP-2.6", - "Section": "Application design controls", - "Control": "Dependency Patching", - "Requirements": "Apply security patches with a severity score of \"medium\" or higher, or ensure equivalent mitigations are available for all components of the application stack within one month of the patch release", - "Status": "Unknown" - }, - { - "Code": "MVSP-2.7", - "Section": "Application design controls", - "Control": "Logging", - "Requirements": "Keep logs of:\n- Users logging in and out\n- Read, write, delete operations on application and system\n- Security settings changes (including disabling logging)\n- Application owner access to customer data (access transparency)\n\nLogs must include user ID, IP address, valid timestamp, type of action performed, and object of this action. Logs must be stored for at least 30 days, and should not contain sensitive data or payloads. Users\n and objects", - "Status": "Unknown" - }, - { - "Code": "MVSP-2.8", - "Section": "Application design controls", - "Control": "Encryption", - "Requirements": "Use available means of encryption to protect sensitive data in transit between systems and at rest in online data storages and backups", - "Status": "Unknown" - }, - { - "Code": "MVSP-3.1", - "Section": "Application implementation controls", - "Control": "List of data", - "Requirements": "Maintain a list of sensitive data types that the application is expected to process", - "Status": "Unknown" - }, - { - "Code": "MVSP-3.2", - "Section": "Application implementation controls", - "Control": "Data flow diagram", - "Requirements": "Maintain an up-to-date diagram indicating how sensitive data reaches your systems and where it ends up being stored", - "Status": "Unknown" - }, - { - "Code": "MVSP-3.3", - "Section": "Application implementation controls", - "Control": "Vulnerability prevention", - "Requirements": "Train your developers and implement development guidelines to prevent at least the following vulnerabilities: \n- Authorization bypass. Example: Accessing other customers' data or admin features from a regular account \n- Insecure session ID. Examples: Guessable token; a token stored in an insecure location (e.g. cookie without secure and httpOnly flags set) \n- Injections. Examples: SQL injection, NoSQL injection, XXE, OS command injection \n- Cross-site scripting. Examples: Calling insecure JavaScript functions, performing insecure DOM manipulations, echoing back user input into HTML without escaping \n- Cross-site request forgery. Example: Accepting requests with an Origin header from a different domain \n- Use of vulnerable libraries. Example: Using server-side frameworks or JavaScript libraries with known vulnerabilities", - "Status": "Unknown" - }, - { - "Code": "MVSP-3.4", - "Section": "Application implementation controls", - "Control": "Time to fix vulnerabilities", - "Requirements": "Produce and deploy patches to address application vulnerabilities that materially impact security within 90 days of discovery", - "Status": "Unknown" - }, - { - "Code": "MVSP-3.5", - "Section": "Application implementation controls", - "Control": "Build process", - "Requirements": "Build processes must be fully scripted\/automated and generate provenance (SLSA Level 1)", - "Status": "Unknown" - }, - { - "Code": "MVSP-4.1", - "Section": "Operational controls", - "Control": "Physical access", - "Requirements": "Validate the physical security of relevant facilities by ensuring the following controls are in place: \n- Layered perimeter controls and interior barriers \n- Managed access to keys \n- Entry and exit logs \n- Appropriate response plan for intruder alerts", - "Status": "Unknown" - }, - { - "Code": "MVSP-4.2", - "Section": "Operational controls", - "Control": "Logical access", - "Requirements": "- Limit sensitive data access exclusively to users with a legitimate need. The data owner must authorize such access \n- Deactivate redundant accounts and expired access grants in a timely manner \n- Perform regular reviews of access to validate need to know \n- Ensure remote access to customer data or production systems requires the use of Multi-Factor Authentication", - "Status": "Unknown" - }, - { - "Code": "MVSP-4.3", - "Section": "Operational controls", - "Control": "Sub-processors", - "Requirements": "- Publish a list of third-party companies with access to customer data on your website \n- Assess third-party companies annually against this baseline", - "Status": "Unknown" - }, - { - "Code": "MVSP-4.4", - "Section": "Operational controls", - "Control": "Backup and Disaster recovery", - "Requirements": "- Securely back up all data to a different location than where the application is running \n- Maintain and periodically test disaster recovery plans \n- Periodically test backup restoration", - "Status": "Unknown" - } -], -"Selection":[ - { - "Status": "Unknown", - "Maturity level": 0, - "Meaning": "Has not even been checked yet", - "Column4": " " - }, - { - "Status": "Not applicable", - "Maturity level": 0, - "Meaning": "Management can ignore them" - }, - { - "Status": "Nonexistent", - "Maturity level": 1, - "Meaning": "Complete lack of recognizable policy, procedure, control etc." - }, - { - "Status": "Initial", - "Maturity level": 2, - "Meaning": "Development has barely started and will require significant work to fulfill the requirements" - }, - { - "Status": "Limited", - "Maturity level": 3, - "Meaning": "Progressing nicely but not yet complete" - }, - { - "Status": "Defined", - "Maturity level": 4, - "Meaning": "Development is more or less complete although detail is lacking and\/or it is not yet implemented, enforced and actively supported by top management" - }, - { - "Status": "Managed", - "Maturity level": 5, - "Meaning": "Development is complete, the process\/control has been implemented and recently started operating" - }, - { - "Status": "Optimized", - "Maturity level": 6, - "Meaning": "The requirement is fully satisfied, is operating fully as expected, is being actively monitored and improved, and there is substantial evidence to prove all that to the auditors" - } -], -"Dashboard":[ - { - "Status": "Unknown", - "Percentage": 0.68 - }, - { - "Status": "Not applicable", - "Percentage": 0.04 - }, - { - "Status": "Nonexistent", - "Percentage": 0.04 - }, - { - "Status": "Initial", - "Percentage": 0.04 - }, - { - "Status": "Limited", - "Percentage": 0.04 - }, - { - "Status": "Defined", - "Percentage": 0.08 - }, - { - "Status": "Managed", - "Percentage": 0.04 - }, - { - "Status": "Optimized", - "Percentage": 0.04, - "Column11": "https:\/\/www.chartjs.org\/docs\/latest\/charts\/radar.html" - }, - { - "Column4": "https:\/\/www.chartjs.org\/docs\/latest\/samples\/other-charts\/pie.html" - }, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - null, - { - "Status": "Section", - "Percentage": "Maturity level" - }, - { - "Status": "Business controls", - "Percentage": 3 - }, - { - "Status": "Application design controls", - "Percentage": 4 - }, - { - "Status": "Application implementation controls", - "Percentage": 2 - }, - { - "Status": "Operational controls", - "Percentage": 1 - } -] -} \ No newline at end of file + "MVPS-Controls": [ + { + "Code": "MVSP-1.1", + "Section": "Business controls", + "Control": "Vulnerability reports", + "Requirements": "Publish the point of contact for security reports on your website\nRespond to security reports within a reasonable time frame", + "Status": "Unknown" + }, + { + "Code": "MVSP-1.2", + "Section": "Business controls", + "Control": "Customer testing", + "Requirements": "On request, enable your customers or their delegates to test the security of your application\nTest on a non-production environment if it closely resembles the production environment in functionality\nEnsure non-production environments do not contain production data", + "Status": "Defined" + }, + { + "Code": "MVSP-1.3", + "Section": "Business controls", + "Control": "Self-assessment", + "Requirements": "Perform annual (at a minimum) security self-assessments using this document", + "Status": "Nonexistent" + }, + { + "Code": "MVSP-1.4", + "Section": "Business controls", + "Control": "External testing", + "Requirements": "Contract a security vendor to perform annual, comprehensive penetration tests on your systems", + "Status": "Unknown" + }, + { + "Code": "MVSP-1.5", + "Section": "Business controls", + "Control": "Training", + "Requirements": "Implement role-specific security training for your personnel that is relevant to their business function", + "Status": "Not applicable" + }, + { + "Code": "MVSP-1.6", + "Section": "Business controls", + "Control": "Compliance", + "Requirements": "Comply with all industry security standards relevant to your business such as PCI DSS, HITRUST, ISO27001, and SSAE 18\nComply with local laws and regulations in jurisdictions applicable to your company and your customers, such as GDPR, Binding Corporate Rules, and Standard Contractual Clauses\nEnsure data localization requirements are implemented in line with local regulations and contractual obligations", + "Status": "Defined" + }, + { + "Code": "MVSP-1.7", + "Section": "Business controls", + "Control": "Incident handling", + "Requirements": "Notify your customers about a breach without undue delay, no later than 72 hours upon discovery\nInclude the following information in the notification: \n- Relevant point of contact\n- Preliminary technical analysis of the breach\n- Remediation plan with reasonable timelines", + "Status": "Unknown" + }, + { + "Code": "MVSP-1.8", + "Section": "Business controls", + "Control": "Data handling", + "Requirements": "Ensure media sanitization processes based on NIST SP 800-88 or equivalent are implemented", + "Status": "Managed" + }, + { + "Code": "MVSP-2.1", + "Section": "Application design controls", + "Control": "Single Sign-On", + "Requirements": "Implement single sign-on using modern and industry standard protocols", + "Status": "Unknown" + }, + { + "Code": "MVSP-2.2", + "Section": "Application design controls", + "Control": "HTTPS-only", + "Requirements": "Redirect traffic from HTTP protocol (port 80) to HTTPS (port 443)\nNote: This does not apply to secure protocols designed to run on top of unencrypted connections, such as OCSP\nScan and address issues using freely available modern TLS scanning tools\nInclude the Strict-Transport-Security header on all pages with the includeSubdomains directive", + "Status": "Unknown" + }, + { + "Code": "MVSP-2.3", + "Section": "Application design controls", + "Control": "Security Headers", + "Requirements": "Apply appropriate security headers to reduce the application attack surface and limit post exploitation: \n- Set a minimally permissive Content Security Policy \n- Limit the ability to iframe sensitive application content where appropriate", + "Status": "Optimized" + }, + { + "Code": "MVSP-2.4", + "Section": "Application design controls", + "Control": "Password policy", + "Requirements": "If password authentication is used in addition to single sign-on: \n- Do not limit the permitted characters that can be used \n- Do not limit the length of the password to anything below 64 characters \n- Do not use secret questions as a sole password reset requirement \n- Require email verification of a password change request \n- Require the current password in addition to the new password during password change \n- Store passwords in a hashed and salted format using a memory-hard or CPU-hard one-way hash function \n- Enforce appropriate account lockout and brute-force protection on account access", + "Status": "Initial" + }, + { + "Code": "MVSP-2.5", + "Section": "Application design controls", + "Control": "Security libraries", + "Requirements": "Use frameworks, template languages, or libraries that systemically address implementation weaknesses by escaping the outputs and sanitizing the inputs\nExample: ORM for database access, UI framework for rendering DOM", + "Status": "Limited" + }, + { + "Code": "MVSP-2.6", + "Section": "Application design controls", + "Control": "Dependency Patching", + "Requirements": "Apply security patches with a severity score of \"medium\" or higher, or ensure equivalent mitigations are available for all components of the application stack within one month of the patch release", + "Status": "Unknown" + }, + { + "Code": "MVSP-2.7", + "Section": "Application design controls", + "Control": "Logging", + "Requirements": "Keep logs of:\n- Users logging in and out\n- Read, write, delete operations on application and system\n- Security settings changes (including disabling logging)\n- Application owner access to customer data (access transparency)\n\nLogs must include user ID, IP address, valid timestamp, type of action performed, and object of this action. Logs must be stored for at least 30 days, and should not contain sensitive data or payloads. Users\n and objects", + "Status": "Unknown" + }, + { + "Code": "MVSP-2.8", + "Section": "Application design controls", + "Control": "Encryption", + "Requirements": "Use available means of encryption to protect sensitive data in transit between systems and at rest in online data storages and backups", + "Status": "Unknown" + }, + { + "Code": "MVSP-3.1", + "Section": "Application implementation controls", + "Control": "List of data", + "Requirements": "Maintain a list of sensitive data types that the application is expected to process", + "Status": "Unknown" + }, + { + "Code": "MVSP-3.2", + "Section": "Application implementation controls", + "Control": "Data flow diagram", + "Requirements": "Maintain an up-to-date diagram indicating how sensitive data reaches your systems and where it ends up being stored", + "Status": "Unknown" + }, + { + "Code": "MVSP-3.3", + "Section": "Application implementation controls", + "Control": "Vulnerability prevention", + "Requirements": "Train your developers and implement development guidelines to prevent at least the following vulnerabilities: \n- Authorization bypass. Example: Accessing other customers' data or admin features from a regular account \n- Insecure session ID. Examples: Guessable token; a token stored in an insecure location (e.g. cookie without secure and httpOnly flags set) \n- Injections. Examples: SQL injection, NoSQL injection, XXE, OS command injection \n- Cross-site scripting. Examples: Calling insecure JavaScript functions, performing insecure DOM manipulations, echoing back user input into HTML without escaping \n- Cross-site request forgery. Example: Accepting requests with an Origin header from a different domain \n- Use of vulnerable libraries. Example: Using server-side frameworks or JavaScript libraries with known vulnerabilities", + "Status": "Unknown" + }, + { + "Code": "MVSP-3.4", + "Section": "Application implementation controls", + "Control": "Time to fix vulnerabilities", + "Requirements": "Produce and deploy patches to address application vulnerabilities that materially impact security within 90 days of discovery", + "Status": "Unknown" + }, + { + "Code": "MVSP-3.5", + "Section": "Application implementation controls", + "Control": "Build process", + "Requirements": "Build processes must be fully scripted/automated and generate provenance (SLSA Level 1)", + "Status": "Unknown" + }, + { + "Code": "MVSP-4.1", + "Section": "Operational controls", + "Control": "Physical access", + "Requirements": "Validate the physical security of relevant facilities by ensuring the following controls are in place: \n- Layered perimeter controls and interior barriers \n- Managed access to keys \n- Entry and exit logs \n- Appropriate response plan for intruder alerts", + "Status": "Unknown" + }, + { + "Code": "MVSP-4.2", + "Section": "Operational controls", + "Control": "Logical access", + "Requirements": "- Limit sensitive data access exclusively to users with a legitimate need. The data owner must authorize such access \n- Deactivate redundant accounts and expired access grants in a timely manner \n- Perform regular reviews of access to validate need to know \n- Ensure remote access to customer data or production systems requires the use of Multi-Factor Authentication", + "Status": "Unknown" + }, + { + "Code": "MVSP-4.3", + "Section": "Operational controls", + "Control": "Sub-processors", + "Requirements": "- Publish a list of third-party companies with access to customer data on your website \n- Assess third-party companies annually against this baseline", + "Status": "Unknown" + }, + { + "Code": "MVSP-4.4", + "Section": "Operational controls", + "Control": "Backup and Disaster recovery", + "Requirements": "- Securely back up all data to a different location than where the application is running \n- Maintain and periodically test disaster recovery plans \n- Periodically test backup restoration", + "Status": "Unknown" + } + ], + "Selection": [ + { + "Status": "Unknown", + "Maturity level": 0, + "Meaning": "Has not even been checked yet", + "Column4": " " + }, + { + "Status": "Not applicable", + "Maturity level": 0, + "Meaning": "Management can ignore them" + }, + { + "Status": "Nonexistent", + "Maturity level": 1, + "Meaning": "Complete lack of recognizable policy, procedure, control etc." + }, + { + "Status": "Initial", + "Maturity level": 2, + "Meaning": "Development has barely started and will require significant work to fulfill the requirements" + }, + { + "Status": "Limited", + "Maturity level": 3, + "Meaning": "Progressing nicely but not yet complete" + }, + { + "Status": "Defined", + "Maturity level": 4, + "Meaning": "Development is more or less complete although detail is lacking and/or it is not yet implemented, enforced and actively supported by top management" + }, + { + "Status": "Managed", + "Maturity level": 5, + "Meaning": "Development is complete, the process/control has been implemented and recently started operating" + }, + { + "Status": "Optimized", + "Maturity level": 6, + "Meaning": "The requirement is fully satisfied, is operating fully as expected, is being actively monitored and improved, and there is substantial evidence to prove all that to the auditors" + } + ], + "Dashboard": [ + { + "Status": "Unknown", + "Percentage": 0.68 + }, + { + "Status": "Not applicable", + "Percentage": 0.04 + }, + { + "Status": "Nonexistent", + "Percentage": 0.04 + }, + { + "Status": "Initial", + "Percentage": 0.04 + }, + { + "Status": "Limited", + "Percentage": 0.04 + }, + { + "Status": "Defined", + "Percentage": 0.08 + }, + { + "Status": "Managed", + "Percentage": 0.04 + }, + { + "Status": "Optimized", + "Percentage": 0.04, + "Column11": "https://www.chartjs.org/docs/latest/charts/radar.html" + }, + { + "Column4": "https://www.chartjs.org/docs/latest/samples/other-charts/pie.html" + }, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + null, + { + "Status": "Section", + "Percentage": "Maturity level" + }, + { + "Status": "Business controls", + "Percentage": 3 + }, + { + "Status": "Application design controls", + "Percentage": 4 + }, + { + "Status": "Application implementation controls", + "Percentage": 2 + }, + { + "Status": "Operational controls", + "Percentage": 1 + } + ] +} diff --git a/components/defaultLanding/data/availableExtensions.json b/components/defaultLanding/data/availableExtensions.json index 1bbafa94..3c3b9318 100644 --- a/components/defaultLanding/data/availableExtensions.json +++ b/components/defaultLanding/data/availableExtensions.json @@ -1,18 +1,18 @@ { - "availableExtensions": { - "pdf": "application/pdf", - "7z": "application/x-7z-compressed", - "zip": "application/zip", - "tar": "application/x-tar", - "gz": "application/gzip", - "docx": "application/vnd.openxmlformats-officedocument.wordprocessingml.document", - "xls": "application/vnd.ms-excel", - "csv": "text/csv", - "json": "application/json", - "xml": "application/xml", - "txt": "text/plain", - "ods": "application/vnd.oasis.opendocument.spreadsheet", - "rtf": "application/rtf", - "odt": "application/vnd.oasis.opendocument.text" - } - } \ No newline at end of file + "availableExtensions": { + "pdf": "application/pdf", + "7z": "application/x-7z-compressed", + "zip": "application/zip", + "tar": "application/x-tar", + "gz": "application/gzip", + "docx": "application/vnd.openxmlformats-officedocument.wordprocessingml.document", + "xls": "application/vnd.ms-excel", + "csv": "text/csv", + "json": "application/json", + "xml": "application/xml", + "txt": "text/plain", + "ods": "application/vnd.oasis.opendocument.spreadsheet", + "rtf": "application/rtf", + "odt": "application/vnd.oasis.opendocument.text" + } +} diff --git a/components/defaultLanding/data/configs/csc.ts b/components/defaultLanding/data/configs/csc.ts index bf892ae7..198f7ca5 100644 --- a/components/defaultLanding/data/configs/csc.ts +++ b/components/defaultLanding/data/configs/csc.ts @@ -1,7 +1,7 @@ //import json from "../../../data/MVPS-controls.json"; import defaultJson from '../MVPS-controls.json'; -import iso2013Json from '../ISO-CSC-controls-2013.json' -import iso2022Json from '../ISO-CSC-controls-2022.json' +import iso2013Json from '../ISO-CSC-controls-2013.json'; +import iso2022Json from '../ISO-CSC-controls-2022.json'; import { Control, IsoControlMap, Section } from 'types'; @@ -10,9 +10,8 @@ import { Control, IsoControlMap, Section } from 'types'; const controls = { '2013': iso2013Json, '2022': iso2022Json, - 'default': defaultJson["MVPS-Controls"] -} - + default: defaultJson['MVPS-Controls'], +}; const sections = [ { @@ -36,8 +35,8 @@ const sections = [ const isoOptions = [ { label: 'ISO/IEC 27001:2013', value: '2013' }, { label: 'ISO/IEC 27001:2022', value: '2022' }, - { label: 'MVSP v1.0-20211007', value: 'default' } -] + { label: 'MVSP v1.0-20211007', value: 'default' }, +]; const perPageOptions: { label: string; value: number }[] = [ { @@ -74,34 +73,42 @@ const perPageOptions: { label: string; value: number }[] = [ // }) // ); -const trimToSecondDot = (inputString: string): string => inputString.split('.').slice(0, 2).join('.'); +const trimToSecondDot = (inputString: string): string => + inputString.split('.').slice(0, 2).join('.'); const getSectionsLabels = (iso: string) => { - if (iso !== "2013") { - return getSections(iso).map(({ label }) => label) + if (iso !== '2013') { + return getSections(iso).map(({ label }) => label); } //For ISO 2013 we should merge the sections because of their big amount const labelSet = new Set(); - controls[iso].forEach(item => { + controls[iso].forEach((item) => { labelSet.add(trimToSecondDot(item.Code)); }); - const sections = (Array.from(labelSet) as string[]) - .map((label: string) => label + " " + controls[iso].find(({ Code }) => Code.includes(label))?.Section.split(" - ")[0]) + const sections = (Array.from(labelSet) as string[]).map( + (label: string) => + label + + ' ' + + controls[iso] + .find(({ Code }) => Code.includes(label)) + ?.Section.split(' - ')[0] + ); - return sections -} + return sections; +}; -const getControlOptions = (iso: string) => controls[iso].map(({ Code, Control, Requirements, Section }) => ({ - label: `${Code}: ${Section}, ${Control}`, - value: { - code: Code, - control: Control, - requirements: Requirements, - section: Section - } -})) +const getControlOptions = (iso: string) => + controls[iso].map(({ Code, Control, Requirements, Section }) => ({ + label: `${Code}: ${Section}, ${Control}`, + value: { + code: Code, + control: Control, + requirements: Requirements, + section: Section, + }, + })); const mergePoints = (d) => { const merged = [ @@ -119,17 +126,17 @@ const mergePoints = (d) => { d[30], (d[31] + d[32]) / 2, (d[33] + d[34]) / 2, - ] + ]; - const rounded = merged.map(value => Math.round(value)) + const rounded = merged.map((value) => Math.round(value)); - return rounded -} + return rounded; +}; const getRadarChartLabels = (iso: string) => { - const labels = getSectionsLabels(iso) - return labels.map(label => label.split(" ")) -} + const labels = getSectionsLabels(iso); + return labels.map((label) => label.split(' ')); +}; const getSections = (iso: string): Section[] => { const sectionSet = new Set(); @@ -146,21 +153,21 @@ const getSections = (iso: string): Section[] => { })); return sections; -} +}; const getSectionFilterOptions = (iso: string) => { if (iso !== '2013') { - return getSections(iso) + return getSections(iso); } - const labels = getSectionsLabels(iso) - const options = labels.map(label => ({ + const labels = getSectionsLabels(iso); + const options = labels.map((label) => ({ label, - value: removeBeforeFirstSpace(label) - })) + value: removeBeforeFirstSpace(label), + })); - return options -} + return options; +}; const removeBeforeFirstSpace = (string) => { const parts = string.split(' '); @@ -168,7 +175,7 @@ const removeBeforeFirstSpace = (string) => { return parts.slice(1).join(' '); } return string; -} +}; const statusOptions: { label: string; value: number }[] = [ { @@ -281,5 +288,5 @@ export { sections, perPageOptions, controls, - isoOptions + isoOptions, }; diff --git a/components/defaultLanding/data/statuses.json b/components/defaultLanding/data/statuses.json index 59705183..bd37900c 100644 --- a/components/defaultLanding/data/statuses.json +++ b/components/defaultLanding/data/statuses.json @@ -19,4 +19,4 @@ "label": "Done", "value": "done" } -] \ No newline at end of file +] diff --git a/components/emailTemplates/EmailLayout.tsx b/components/emailTemplates/EmailLayout.tsx index 2dae996e..7397a9df 100644 --- a/components/emailTemplates/EmailLayout.tsx +++ b/components/emailTemplates/EmailLayout.tsx @@ -19,11 +19,7 @@ const EmailLayout = ({ children }: EmailLayoutProps) => { - {app.name} + {app.name}
{children} diff --git a/components/interfaces/Auth/JoinWithInvitation.tsx b/components/interfaces/Auth/JoinWithInvitation.tsx index 65e92e04..b32b9bb3 100644 --- a/components/interfaces/Auth/JoinWithInvitation.tsx +++ b/components/interfaces/Auth/JoinWithInvitation.tsx @@ -1,13 +1,13 @@ -import { useFormik } from "formik"; -import * as Yup from "yup"; -import { Button } from "react-daisyui"; -import toast from "react-hot-toast"; -import { useRouter } from "next/router"; -import { useTranslation } from "next-i18next"; -import type { User } from "@prisma/client"; -import type { ApiResponse } from "types"; -import { InputWithLabel, Loading, Error } from "@/components/shared"; -import useInvitation from "hooks/useInvitation"; +import { useFormik } from 'formik'; +import * as Yup from 'yup'; +import { Button } from 'react-daisyui'; +import toast from 'react-hot-toast'; +import { useRouter } from 'next/router'; +import { useTranslation } from 'next-i18next'; +import type { User } from '@prisma/client'; +import type { ApiResponse } from 'types'; +import { InputWithLabel, Loading, Error } from '@/components/shared'; +import useInvitation from 'hooks/useInvitation'; const JoinWithInvitation = ({ inviteToken, @@ -17,13 +17,13 @@ const JoinWithInvitation = ({ next: string; }) => { const router = useRouter(); - const { t } = useTranslation("common"); + const { t } = useTranslation('common'); const { isLoading, error, invitation } = useInvitation(inviteToken); const formik = useFormik({ initialValues: { - name: "", + name: '', email: invitation?.email, }, validationSchema: Yup.object().shape({ @@ -32,8 +32,8 @@ const JoinWithInvitation = ({ }), enableReinitialize: true, onSubmit: async (values) => { - const response = await fetch("/api/auth/join", { - method: "POST", + const response = await fetch('/api/auth/join', { + method: 'POST', body: JSON.stringify(values), }); @@ -45,9 +45,9 @@ const JoinWithInvitation = ({ } formik.resetForm(); - toast.success(t("successfully-joined")); + toast.success(t('successfully-joined')); - return next ? router.push(next) : router.push("/auth/login"); + return next ? router.push(next) : router.push('/auth/login'); }, }); @@ -86,10 +86,10 @@ const JoinWithInvitation = ({ active={formik.dirty} fullWidth > - {t("create-account")} + {t('create-account')}
-

{t("sign-up-message")}

+

{t('sign-up-message')}

); diff --git a/components/interfaces/CSC/CscAuditLogs.tsx b/components/interfaces/CSC/CscAuditLogs.tsx index 9cfd71da..9c9b2a14 100644 --- a/components/interfaces/CSC/CscAuditLogs.tsx +++ b/components/interfaces/CSC/CscAuditLogs.tsx @@ -1,34 +1,32 @@ -import React from 'react' +import React from 'react'; import type { Task } from '@prisma/client'; import type { CscAuditLog } from 'types'; import { IssuePanelContainer } from 'sharedStyles'; +const CscAuditLogs = ({ task }: { task: Task }) => { + const taskProperties = task?.properties as any; + const auditLogs = taskProperties.csc_audit_logs as CscAuditLog[] | undefined; + return ( + +
+

CSC audit logs

+ {auditLogs && + auditLogs + .sort((a, b) => b.date - a.date) + .map((log) => { + return ( +
+

User: {log.actor.name}

+

Action: {log.event}

+

Date: {new Date(log.date).toLocaleDateString()}

+

Previous value: {log.diff.prevValue}

+

Next value: {log.diff.nextValue}

+
+ ); + })} +
+ + ); +}; -const CscAuditLogs = ({ - task -} : { - task: Task -}) => { - const taskProperties = task?.properties as any - const auditLogs = taskProperties.csc_audit_logs as CscAuditLog[] | undefined - return ( - -
-

CSC audit logs

- {auditLogs && auditLogs.sort((a, b) => b.date - a.date).map((log) => { - return ( -
-

User: {log.actor.name}

-

Action: {log.event}

-

Date: {new Date(log.date).toLocaleDateString()}

-

Previous value: {log.diff.prevValue}

-

Next value: {log.diff.nextValue}

-
- ) - })} -
- - ) -} - -export default CscAuditLogs \ No newline at end of file +export default CscAuditLogs; diff --git a/components/interfaces/CSC/PieChart.tsx b/components/interfaces/CSC/PieChart.tsx index a6d8d0ca..039ae5b2 100644 --- a/components/interfaces/CSC/PieChart.tsx +++ b/components/interfaces/CSC/PieChart.tsx @@ -1,11 +1,11 @@ -import React from "react"; -import { Chart as ChartJS, ArcElement, Tooltip, Legend } from "chart.js"; -import { Pie } from "react-chartjs-2"; -import { statusOptions } from "@/components/defaultLanding/data/configs/csc"; +import React from 'react'; +import { Chart as ChartJS, ArcElement, Tooltip, Legend } from 'chart.js'; +import { Pie } from 'react-chartjs-2'; +import { statusOptions } from '@/components/defaultLanding/data/configs/csc'; ChartJS.register(ArcElement, Tooltip, Legend); -const countStatuses = (statuses: { [key: string]: string; }) => { +const countStatuses = (statuses: { [key: string]: string }) => { const labels = statusOptions.map(({ label }) => label); const countArray = labels.map( (name) => @@ -14,45 +14,41 @@ const countStatuses = (statuses: { [key: string]: string; }) => { return countArray; }; -const PieChart = ({ - statuses - }: { - statuses: { [key: string]: string; } -}) => { +const PieChart = ({ statuses }: { statuses: { [key: string]: string } }) => { const data = { labels: [ - "Unknown", - "Not Applicable", - "Not Performed", - "Performed Informally", - "Planned", - "Well Defined", - "Quantitatively Controlled", - "Continuously Improving", + 'Unknown', + 'Not Applicable', + 'Not Performed', + 'Performed Informally', + 'Planned', + 'Well Defined', + 'Quantitatively Controlled', + 'Continuously Improving', ], datasets: [ { - label: "# of Controls", + label: '# of Controls', data: countStatuses(statuses), backgroundColor: [ - "rgba(241, 241, 241, 1)", - "rgba(178, 178, 178, 1)", - "rgba(255, 0, 0, 1)", - "rgba(202, 0, 63, 1)", - "rgba(102, 102, 102, 1)", - "rgba(255, 190, 0, 1)", - "rgba(106, 217, 0, 1)", - "rgba(47, 143, 0, 1)", + 'rgba(241, 241, 241, 1)', + 'rgba(178, 178, 178, 1)', + 'rgba(255, 0, 0, 1)', + 'rgba(202, 0, 63, 1)', + 'rgba(102, 102, 102, 1)', + 'rgba(255, 190, 0, 1)', + 'rgba(106, 217, 0, 1)', + 'rgba(47, 143, 0, 1)', ], borderColor: [ - "rgba(241, 241, 241, 1)", - "rgba(178, 178, 178, 1)", - "rgba(255, 0, 0, 1)", - "rgba(202, 0, 63, 1)", - "rgba(102, 102, 102, 1)", - "rgba(255, 190, 0, 1)", - "rgba(106, 217, 0, 1)", - "rgba(47, 143, 0, 1)", + 'rgba(241, 241, 241, 1)', + 'rgba(178, 178, 178, 1)', + 'rgba(255, 0, 0, 1)', + 'rgba(202, 0, 63, 1)', + 'rgba(102, 102, 102, 1)', + 'rgba(255, 190, 0, 1)', + 'rgba(106, 217, 0, 1)', + 'rgba(47, 143, 0, 1)', ], borderWidth: 1, }, @@ -62,20 +58,20 @@ const PieChart = ({ const options: any = { plugins: { legend: { - position: "right", + position: 'right', }, title: { display: true, - text: "Controls", + text: 'Controls', }, }, maintainAspectRatio: false, - responsive: true + responsive: true, }; countStatuses(statuses); - return ; + return ; }; export default PieChart; diff --git a/components/interfaces/CSC/RadarChart.tsx b/components/interfaces/CSC/RadarChart.tsx index f6ca7d5f..1efda392 100644 --- a/components/interfaces/CSC/RadarChart.tsx +++ b/components/interfaces/CSC/RadarChart.tsx @@ -1,4 +1,4 @@ -import React from "react"; +import React from 'react'; import { Chart as ChartJS, RadialLinearScale, @@ -7,10 +7,17 @@ import { Filler, Tooltip, Legend, -} from "chart.js"; -import { Radar } from "react-chartjs-2"; +} from 'chart.js'; +import { Radar } from 'react-chartjs-2'; //TODO: GETSECTIONS INSTEAD OF SECTIONS -import { sections, controls, statusOptions, getRadarChartLabels, mergePoints, getSections } from "@/components/defaultLanding/data/configs/csc"; +import { + sections, + controls, + statusOptions, + getRadarChartLabels, + mergePoints, + getSections, +} from '@/components/defaultLanding/data/configs/csc'; ChartJS.register( RadialLinearScale, @@ -45,28 +52,35 @@ ChartJS.register( // return mergedPoints; // } +const getMaturityLevels = ( + statuses: { [key: string]: string }, + ISO: string +) => { + const sections = getSections(ISO); + const data = sections + .map(({ label }) => label) + .map((label) => { + const totalControls = controls[ISO].filter( + ({ Section }) => Section === label + ).map(({ Control }) => Control); + console.log('totalControls', { totalControls, statusOptions, statuses }); + const totalControlsValue = totalControls.reduce( + (accumulator, control) => + (statusOptions.find(({ label }) => label === statuses[control]) + ?.value || 0) + accumulator, + 0 + ); + return totalControlsValue / totalControls.length; + }); + const roundedData = data.map((value) => Math.round(value)); -const getMaturityLevels = (statuses: { [key: string]: string; }, ISO: string) => { - const sections = getSections(ISO) - const data = sections - .map(({ label }) => label) - .map(label => { - const totalControls = controls[ISO] - .filter(({ Section }) => Section === label) - .map(({ Control }) => Control) - console.log('totalControls', {totalControls, statusOptions, statuses}) - const totalControlsValue = totalControls.reduce((accumulator, control) => (statusOptions.find(({ label }) => label === statuses[control])?.value || 0 )+ accumulator, 0); - return totalControlsValue / totalControls.length - }) - const roundedData = data.map(value => Math.round(value)) - - if (ISO != '2013') { - return roundedData - } else { - const mergedPoints = mergePoints(roundedData) - console.log('mergedPoints', {mergedPoints, roundedData}) - return mergedPoints - } + if (ISO != '2013') { + return roundedData; + } else { + const mergedPoints = mergePoints(roundedData); + console.log('mergedPoints', { mergedPoints, roundedData }); + return mergedPoints; + } // if (typeof statusOptions === "undefined") { // return // } @@ -89,10 +103,10 @@ const getMaturityLevels = (statuses: { [key: string]: string; }, ISO: string) => const RadarChart = ({ statuses, - ISO + ISO, }: { - statuses: { [key: string]: string; }; - ISO: string + statuses: { [key: string]: string }; + ISO: string; }) => { //getMaturityLevels(statuses); const options = { @@ -108,17 +122,17 @@ const RadarChart = ({ }, }, maintainAspectRatio: false, - responsive: true + responsive: true, }; const data = { // labels: sections.map(({ label }) => label).map((label) => label.split(" ")), labels: getRadarChartLabels(ISO), datasets: [ { - label: "Maturity level from 0 to 6", + label: 'Maturity level from 0 to 6', data: getMaturityLevels(statuses, ISO), - backgroundColor: "rgba(255, 99, 132, 0.2)", - borderColor: "rgba(255, 99, 132, 1)", + backgroundColor: 'rgba(255, 99, 132, 0.2)', + borderColor: 'rgba(255, 99, 132, 1)', borderWidth: 1, }, ], diff --git a/components/interfaces/CSC/SectionFilter.tsx b/components/interfaces/CSC/SectionFilter.tsx index bce0b55b..368d6fbd 100644 --- a/components/interfaces/CSC/SectionFilter.tsx +++ b/components/interfaces/CSC/SectionFilter.tsx @@ -1,17 +1,19 @@ -import React, {Dispatch, SetStateAction} from "react"; -import Select from "@atlaskit/select"; -import { getSectionFilterOptions } from "@/components/defaultLanding/data/configs/csc"; -import { WithoutRing } from "sharedStyles"; +import React, { Dispatch, SetStateAction } from 'react'; +import Select from '@atlaskit/select'; +import { getSectionFilterOptions } from '@/components/defaultLanding/data/configs/csc'; +import { WithoutRing } from 'sharedStyles'; -const SectionFilter = ({ +const SectionFilter = ({ ISO, - setSectionFilter + setSectionFilter, }: { ISO: string; - setSectionFilter: Dispatch> + setSectionFilter: Dispatch< + SetStateAction<{ label: string; value: string }[] | null> + >; }) => { return ( -
+
{ - return ( - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
StatusMeaning
UnknownHas not even been checked yet
Not ApplicableManagement can ignore them
Not PerformedComplete lack of recognizable policy, procedure, control etc.
Performed InformallyDevelopment has barely started and will require significant work to fulfill the requirements
PlannedProgressing nicely but not yet complete
Well DefinedDevelopment is more or less complete, although detail is lacking and/or it is not yet implemented, enforced and actively supported by top management
Quantitatively ControlledDevelopment is complete, the process/control has been implemented and recently started operating
Continuously ImprovingThe requirement is fully satisfied, is operating fully as expected, is being actively monitored and improved, and there is substantial evidence to prove all that to the auditors
- - ) -} + return ( + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
StatusMeaning
UnknownHas not even been checked yet
Not ApplicableManagement can ignore them
Not PerformedComplete lack of recognizable policy, procedure, control etc.
Performed Informally + Development has barely started and will require significant work to + fulfill the requirements +
PlannedProgressing nicely but not yet complete
Well Defined + Development is more or less complete, although detail is lacking + and/or it is not yet implemented, enforced and actively supported by + top management +
Quantitatively Controlled + Development is complete, the process/control has been implemented + and recently started operating +
Continuously Improving + The requirement is fully satisfied, is operating fully as expected, + is being actively monitored and improved, and there is substantial + evidence to prove all that to the auditors +
+ ); +}; const PopupContent = () => { - return ( -
- - - ) -} + return ( +
+
+ + ); +}; const StatusHeader = () => { - const [isOpen, setIsOpen] = useState(false) - return ( - setIsOpen(false)} - placement="bottom-start" - content={() => } - trigger={(triggerProps) => ( -
- Status - -
- )} - /> - ) -} + const [isOpen, setIsOpen] = useState(false); + return ( + setIsOpen(false)} + placement="bottom-start" + content={() => } + trigger={(triggerProps) => ( +
+ Status + +
+ )} + /> + ); +}; -export default StatusHeader \ No newline at end of file +export default StatusHeader; diff --git a/components/interfaces/CSC/StatusSelector.tsx b/components/interfaces/CSC/StatusSelector.tsx index 41c86777..8e95b23e 100644 --- a/components/interfaces/CSC/StatusSelector.tsx +++ b/components/interfaces/CSC/StatusSelector.tsx @@ -1,12 +1,15 @@ -import React, { useEffect, useState } from "react"; -import Select from "@atlaskit/select"; -import { statusOptions, colourStyles } from "@/components/defaultLanding/data/configs/csc"; -import { WithoutRing } from "sharedStyles"; +import React, { useEffect, useState } from 'react'; +import Select from '@atlaskit/select'; +import { + statusOptions, + colourStyles, +} from '@/components/defaultLanding/data/configs/csc'; +import { WithoutRing } from 'sharedStyles'; -const StatusSelector = ({ - statusValue, - control, - handler +const StatusSelector = ({ + statusValue, + control, + handler, }: { statusValue: string; control: string; @@ -15,9 +18,9 @@ const StatusSelector = ({ const [value, setValue] = useState(statusValue); useEffect(() => { - setValue(statusValue) - }, [statusValue]) - + setValue(statusValue); + }, [statusValue]); + return (
*/} -
+
- - - - - - + + + + + + - {pageData.map((option, index) => - + {pageData.map((option, index) => ( + + + + - - - - )} + ))}
CodeSectionControlRequirementsTickets + Code + + Section + + Control + + Requirements + + + + Tickets +
{option.value.code}{option.value.section}{option.value.control} - {option.value.code} + + {option.value.requirements} + - {option.value.section} - - {option.value.control} - - {option.value.requirements} - - {canAccess('task', ['update']) - ?
- + {canAccess('task', ['update']) ? ( +
+
- : {statuses[option.value.control]} - } + ) : ( + + {statuses[option.value.control]} + + )}
- {canAccess('task', ['update']) - ? - : - } - + {canAccess('task', ['update']) ? ( + + ) : ( + + )}
- {pageData.length - ?
+ {pageData.length ? ( +
- + - +
- : null - } + ) : null} - ) -} + ); +}; -export default StatusesTable \ No newline at end of file +export default StatusesTable; diff --git a/components/interfaces/CSC/TaskSelector.tsx b/components/interfaces/CSC/TaskSelector.tsx index cbda745d..152fe08d 100644 --- a/components/interfaces/CSC/TaskSelector.tsx +++ b/components/interfaces/CSC/TaskSelector.tsx @@ -1,50 +1,68 @@ -import React, { useState, useEffect } from 'react' -import Select from '@atlaskit/select' +import React, { useState, useEffect } from 'react'; +import Select from '@atlaskit/select'; import { WithoutRing } from 'sharedStyles'; import { getCscControlsProp } from '@/lib/csc'; -import type { Task } from "@prisma/client"; +import type { Task } from '@prisma/client'; import type { CscOption } from 'types'; -const TaskSelector = ({ - tasks, - control, - handler, - ISO -} : { - tasks: Array; - control: string; - handler: (action: string, dataToRemove: any, control: string) => Promise; - ISO: string +const TaskSelector = ({ + tasks, + control, + handler, + ISO, +}: { + tasks: Array; + control: string; + handler: ( + action: string, + dataToRemove: any, + control: string + ) => Promise; + ISO: string; }) => { - const [value, setValue] = useState([]) - const [options, setOptions] = useState([]) + const [value, setValue] = useState([]); + const [options, setOptions] = useState([]); - useEffect(() => { - const options = tasks.map(task => ({ label: task.title, value: task.taskNumber })) - const cscStatusesProp = getCscControlsProp(ISO) - const selectedOptions = tasks.filter((task: any) => task.properties?.[cscStatusesProp]?.find((item: string) => item === control))?.map(issue => ({ label: issue.title, value: issue.taskNumber })) - setOptions(options) - setValue(selectedOptions) - }, []) - return ( - - { + const { action, option, removedValue, removedValues } = actionMeta; + setValue([...selectedIssue]); + const dataToRemove = option + ? [option] + : removedValue + ? [removedValue] + : removedValues; + handler(action, dataToRemove, control); + }} + value={value} + placeholder="Tasks" + isMulti + /> + + ); +}; -export default TaskSelector \ No newline at end of file +export default TaskSelector; diff --git a/components/interfaces/CSC/TasksList.tsx b/components/interfaces/CSC/TasksList.tsx index f6e460ab..5cb523e6 100644 --- a/components/interfaces/CSC/TasksList.tsx +++ b/components/interfaces/CSC/TasksList.tsx @@ -1,31 +1,36 @@ -import React, { useState } from 'react' -import Link from "next/link"; -import { useRouter } from "next/router"; -import type { Task } from "@prisma/client"; +import React, { useState } from 'react'; +import Link from 'next/link'; +import { useRouter } from 'next/router'; +import type { Task } from '@prisma/client'; const TasksList = ({ - tasks, - control, + tasks, + control, }: { - tasks: Array - control: string, + tasks: Array; + control: string; }) => { - const [selectedTasks] = useState>(tasks.filter((task: any) => task.properties?.csc_controls?.find((item: string) => item === control))) + const [selectedTasks] = useState>( + tasks.filter( + (task: any) => + task.properties?.csc_controls?.find((item: string) => item === control) + ) + ); - const router = useRouter(); - const { slug } = router.query; + const router = useRouter(); + const { slug } = router.query; - return ( -
- {selectedTasks.map(task => ( - -
- {task.title} -
- - ))} -
- ) -} + return ( +
+ {selectedTasks.map((task) => ( + +
+ {task.title} +
+ + ))} +
+ ); +}; -export default TasksList \ No newline at end of file +export default TasksList; diff --git a/components/interfaces/CSC/issue_panel/ControlBlock.tsx b/components/interfaces/CSC/issue_panel/ControlBlock.tsx index 78cd618d..724918b5 100644 --- a/components/interfaces/CSC/issue_panel/ControlBlock.tsx +++ b/components/interfaces/CSC/issue_panel/ControlBlock.tsx @@ -1,15 +1,21 @@ -import React, { useState, useCallback, Dispatch, SetStateAction, useMemo } from 'react' -import axios from "axios"; -import toast from "react-hot-toast"; -import { useRouter } from "next/router"; -import Select from '@atlaskit/select' -import Button, { LoadingButton } from '@atlaskit/button' -import TrashIcon from '@atlaskit/icon/glyph/trash' -import TextArea from '@atlaskit/textarea' -import Textfield from '@atlaskit/textfield' -import { WithoutRing } from "sharedStyles" +import React, { + useState, + useCallback, + Dispatch, + SetStateAction, + useMemo, +} from 'react'; +import axios from 'axios'; +import toast from 'react-hot-toast'; +import { useRouter } from 'next/router'; +import Select from '@atlaskit/select'; +import Button, { LoadingButton } from '@atlaskit/button'; +import TrashIcon from '@atlaskit/icon/glyph/trash'; +import TextArea from '@atlaskit/textarea'; +import Textfield from '@atlaskit/textfield'; +import { WithoutRing } from 'sharedStyles'; import { getControlOptions } from '@/components/defaultLanding/data/configs/csc'; -import StatusSelector from '../StatusSelector' +import StatusSelector from '../StatusSelector'; const ControlBlock = ({ ISO, @@ -20,7 +26,7 @@ const ControlBlock = ({ isSaving, isDeleting, deleteControlHandler, - setStatuses + setStatuses, }: { ISO: string; status: string; @@ -30,27 +36,28 @@ const ControlBlock = ({ isSaving: boolean; isDeleting: boolean; deleteControlHandler: (control: string) => void; - setStatuses: Dispatch> + setStatuses: Dispatch< + SetStateAction<{ + [key: string]: string; + }> + >; }) => { - console.log('status control block', status) + console.log('status control block', status); const router = useRouter(); const { slug } = router.query; - const [isButtonLoading, setIsButtonLoading] = useState(false) + const [isButtonLoading, setIsButtonLoading] = useState(false); - const controlOptions = useMemo(() => getControlOptions(ISO), [ISO]) - const controlData = controlOptions.find(({ value }) => value.control === control)?.value + const controlOptions = useMemo(() => getControlOptions(ISO), [ISO]); + const controlData = controlOptions.find( + ({ value }) => value.control === control + )?.value; const statusHandler = useCallback(async (control: string, value: string) => { - const response = await axios.put( - `/api/teams/${slug}/csc`, - { - control, - value, - } - ); + const response = await axios.put(`/api/teams/${slug}/csc`, { + control, + value, + }); const { data, error } = response.data; @@ -58,38 +65,49 @@ const ControlBlock = ({ toast.error(error.message); return; } else { - toast.success("Status changed!") + toast.success('Status changed!'); } - setStatuses(data.statuses) - }, []) + setStatuses(data.statuses); + }, []); return ( <>
-

Select a control

-
+

Select a control

+